Attachment 1976292 Details for Bug 2223471 – oscap html report

oscap html report

scan-report.html (text/html), 3.27 MB, created by Daniel Reynolds on 2023-07-18 02:58:10 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Daniel Reynolds

Created: 2023-07-18 02:58:10 UTC

Size: 3.27 MB

patch

obsolete

><!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ism_o | OpenSCAP Evaluation Report</title><style>
>/*!
> * Bootstrap v3.3.7 (http://getbootstrap.com)
> * Copyright 2011-2016 Twitter, Inc.
> * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
> */
>
>/*!
> * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf)
> * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf
> *//*!
> * Bootstrap v3.3.7 (http://getbootstrap.com)
> * Copyright 2011-2016 Twitter, Inc.
> * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
> *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}
>table.treetable span.indenter{display:inline-block;margin:0;padding:0;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=)}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC)}table.treetable tr.branch{background-color:#f9f9f9}table.treetable tr.selected{background-color:#3875d7;color:#fff}table.treetable tr span.indenter a{outline:0}tr.rule-overview-needs-attention td a{color:#d9534f}td.rule-result div,span.rule-result{text-align:center;font-weight:bold;color:#fff;background:gray}td.rule-result-fail div,span.rule-result-fail{background:#d9534f}td.rule-result-error div,span.rule-result-error{background:#d9534f}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e}td.rule-result-pass div,span.rule-result-pass{background:#5cb85c}td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c}.js-only{display:none}.rule-result-filtered,.rule-result-filtered>*{display:none !important}.search-no-match,.search-no-match>*{display:none !important}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f}#footer{text-align:center;margin-top:50px}pre{overflow:auto !important;word-wrap:normal !important;white-space:pre-wrap}div.check-system-details,div.remediation,div.description{width:0;min-width:100%;overflow-x:auto}div.profile-description{white-space:pre-wrap}div.modal-body{margin:50px;padding:0}div.horizontal-scroll{overflow-x:auto}div.top-spacer-10{margin-top:10px}@media print{.noprint{display:none}.label{border:0;padding:0}.container{width:100%}abbr[title]{border:0;text-decoration:none}div.progress{overflow:visible;height:auto}div.progress-bar{width:auto;float:none;width:auto !important;text-align:left}div.panel-body{padding:4px}}</style><script>
>/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */
>!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\$(('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\$|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\$"+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\$|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\$"+L+"*((?:-\\d)?\\d*)"+L+"*\$|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0;
>}return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha$[^)]*$/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{
>marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({
>padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n});
>(function(c){var b,d,a;b=(function(){function e(h,f,g){var j;this.row=h;this.tree=f;this.settings=g;this.id=this.row.data(this.settings.nodeIdAttr);j=this.row.data(this.settings.parentIdAttr);if(j!=null&&j!==""){this.parentId=j}this.treeCell=c(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=c(this.settings.expanderTemplate);this.indenter=c(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter)}e.prototype.addChild=function(f){return this.children.push(f)};e.prototype.ancestors=function(){var f,g;g=this;f=[];while(g=g.parentNode()){f.push(g)}return f};e.prototype.collapse=function(){if(this.collapsed()){return this}this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null){this.settings.onNodeCollapse.apply(this)}return this};e.prototype.collapsed=function(){return this.row.hasClass("collapsed")};e.prototype.expand=function(){if(this.expanded()){return this}this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null){this.settings.onNodeExpand.apply(this)}if(c(this.row).is(":visible")){this._showChildren()}this.expander.attr("title",this.settings.stringCollapse);return this};e.prototype.expanded=function(){return this.row.hasClass("expanded")};e.prototype.hide=function(){this._hideChildren();this.row.hide();return this};e.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true){return true}else{return false}};e.prototype.updateBranchLeafClass=function(){this.row.removeClass("branch");this.row.removeClass("leaf");this.row.addClass(this.isBranchNode()?"branch":"leaf")};e.prototype.level=function(){return this.ancestors().length};e.prototype.parentNode=function(){if(this.parentId!=null){return this.tree[this.parentId]}else{return null}};e.prototype.removeChild=function(g){var f=c.inArray(g,this.children);return this.children.splice(f,1)};e.prototype.render=function(){var g,f=this.settings,h;if(f.expandable===true&&this.isBranchNode()){g=function(j){c(this).parents("table").treetable("node",c(this).parents("tr").data(f.nodeIdAttr)).toggle();return j.preventDefault()};this.indenter.html(this.expander);h=f.clickableNodeNames===true?this.treeCell:this.expander;h.off("click.treetable").on("click.treetable",g);h.off("keydown.treetable").on("keydown.treetable",function(j){if(j.keyCode==13){g.apply(this,[j])}})}this.indenter[0].style.paddingLeft=""+(this.level()*f.indent)+"px";return this};e.prototype.reveal=function(){if(this.parentId!=null){this.parentNode().reveal()}return this.expand()};e.prototype.setParent=function(f){if(this.parentId!=null){this.tree[this.parentId].removeChild(this)}this.parentId=f.id;this.row.data(this.settings.parentIdAttr,f.id);return f.addChild(this)};e.prototype.show=function(){if(!this.initialized){this._initialize()}this.row.show();if(this.expanded()){this._showChildren()}return this};e.prototype.toggle=function(){if(this.expanded()){this.collapse()}else{this.expand()}return this};e.prototype._hideChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.hide())}return f};e.prototype._initialize=function(){var f=this.settings;this.render();if(f.expandable===true&&f.initialState==="collapsed"){this.collapse()}else{this.expand()}if(f.onNodeInitialized!=null){f.onNodeInitialized.apply(this)}return this.initialized=true};e.prototype._showChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.show())}return f};return e})();d=(function(){function e(g,f){this.table=g;this.settings=f;this.tree={};this.nodes=[];this.roots=[]}e.prototype.collapseAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.collapse())}return f};e.prototype.expandAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.expand())}return f};e.prototype.findLastNode=function(f){if(f.children.length>0){return this.findLastNode(f.children[f.children.length-1])}else{return f}};e.prototype.loadRows=function(h){var g,j,f;if(h!=null){for(f=0;f<h.length;f++){j=c(h[f]);if(j.data(this.settings.nodeIdAttr)!=null){g=new b(j,this.tree,this.settings);this.nodes.push(g);this.tree[g.id]=g;if(g.parentId!=null&&this.tree[g.parentId]){this.tree[g.parentId].addChild(g)}else{this.roots.push(g)}}}}for(f=0;f<this.nodes.length;f++){g=this.nodes[f].updateBranchLeafClass()}return this};e.prototype.move=function(h,f){var g=h.parentNode();if(h!==f&&f.id!==h.parentId&&c.inArray(h,f.ancestors())===-1){h.setParent(f);this._moveRows(h,f);if(h.parentNode().children.length===1){h.parentNode().render()}}if(g){g.updateBranchLeafClass()}if(h.parentNode()){h.parentNode().updateBranchLeafClass()}h.updateBranchLeafClass();return this};e.prototype.removeNode=function(f){this.unloadBranch(f);f.row.remove();if(f.parentId!=null){f.parentNode().removeChild(f)}delete this.tree[f.id];this.nodes.splice(c.inArray(f,this.nodes),1);return this};e.prototype.render=function(){var g,j,f,h;h=this.roots;for(j=0,f=h.length;j<f;j++){g=h[j];g.show()}return this};e.prototype.sortBranch=function(g,f){g.children.sort(f);this._sortChildRows(g);return this};e.prototype.unloadBranch=function(h){var g=h.children.slice(0),f;for(f=0;f<g.length;f++){this.removeNode(g[f])}h.children=[];h.updateBranchLeafClass();return this};e.prototype._moveRows=function(j,f){var h=j.children,g;j.row.insertAfter(f.row);j.render();for(g=h.length-1;g>=0;g--){this._moveRows(h[g],j)}};e.prototype._sortChildRows=function(f){return this._moveRows(f,f)};return e})();a={init:function(e,g){var f;f=c.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'>&nbsp;</a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},e);return this.each(function(){var j=c(this),h;if(g||j.data("treetable")===undefined){h=new d(this,f);h.loadRows(this.rows).render();j.addClass("treetable").data("treetable",h);if(f.onInitialized!=null){f.onInitialized.apply(h)}}return j})},destroy:function(){return this.each(function(){return c(this).removeData("treetable").removeClass("treetable")})},collapseAll:function(){this.data("treetable").collapseAll();return this},collapseNode:function(f){var e=this.data("treetable").tree[f];if(e){e.collapse()}else{throw new Error("Unknown node '"+f+"'")}return this},expandAll:function(){this.data("treetable").expandAll();return this},expandNode:function(f){var e=this.data("treetable").tree[f];if(e){if(!e.initialized){e._initialize()}e.expand()}else{throw new Error("Unknown node '"+f+"'")}return this},loadBranch:function(h,j){var f=this.data("treetable").settings,e=this.data("treetable").tree;j=c(j);if(h==null){this.append(j)}else{var g=this.data("treetable").findLastNode(h);j.insertAfter(g.row)}this.data("treetable").loadRows(j);j.filter("tr").each(function(){e[c(this).data(f.nodeIdAttr)].show()});if(h!=null){h.render().expand()}return this},move:function(h,g){var e,f;f=this.data("treetable").tree[h];e=this.data("treetable").tree[g];this.data("treetable").move(f,e);return this},node:function(e){return this.data("treetable").tree[e]},removeNode:function(f){var e=this.data("treetable").tree[f];if(e){this.data("treetable").removeNode(e)}else{throw new Error("Unknown node '"+f+"'")}return this},reveal:function(f){var e=this.data("treetable").tree[f];if(e){e.reveal()}else{throw new Error("Unknown node '"+f+"'")}return this},sortBranch:function(j,g){var h=this.data("treetable").settings,f,e;g=g||h.column;e=g;if(c.isNumeric(g)){e=function(m,k){var o,n,l;o=function(p){var q=p.row.find("td:eq("+g+")").text();return c.trim(q).toUpperCase()};n=o(m);l=o(k);if(n<l){return -1}if(n>l){return 1}return 0}}this.data("treetable").sortBranch(j,e);return this},unloadBranch:function(e){this.data("treetable").unloadBranch(e);return this}};c.fn.treetable=function(e){if(a[e]){return a[e].apply(this,Array.prototype.slice.call(arguments,1))}else{if(typeof e==="object"||!e){return a.init.apply(this,arguments)}else{return c.error("Method "+e+" does not exist on jQuery.treetable")}}};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=b;this.TreeTable.Tree=d})(jQuery);
>/*!
> * Bootstrap v3.3.7 (http://getbootstrap.com)
> * Copyright 2011-2016 Twitter, Inc.
> * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
> */
>;
>/*!
> * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf)
> * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf
> */
>;if("undefined"==typeof jQuery){throw new Error("Bootstrap's JavaScript requires jQuery")}+function(a){var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3){throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}}(jQuery),+function(b){function c(g){return this.each(function(){var e=b(this),h=e.data("bs.alert");h||e.data("bs.alert",h=new f(this)),"string"==typeof g&&h[g].call(e)})}var a='[data-dismiss="alert"]',f=function(g){b(g).on("click",a,this.close)};f.VERSION="3.3.7",f.TRANSITION_DURATION=150,f.prototype.close=function(k){function h(){g.detach().trigger("closed.bs.alert").remove()}var l=b(this),j=l.attr("data-target");j||(j=l.attr("href"),j=j&&j.replace(/.*(?=#[^\s]*$)/,""));var g=b("#"===j?[]:j);k&&k.preventDefault(),g.length||(g=l.closest(".alert")),g.trigger(k=b.Event("close.bs.alert")),k.isDefaultPrevented()||(g.removeClass("in"),b.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",h).emulateTransitionEnd(f.TRANSITION_DURATION):h())};var d=b.fn.alert;b.fn.alert=c,b.fn.alert.Constructor=f,b.fn.alert.noConflict=function(){return b.fn.alert=d,this},b(document).on("click.bs.alert.data-api",a,f.prototype.close)}(jQuery),+function(d){function h(l){var a=l.attr("data-target");a||(a=l.attr("href"),a=a&&/#[A-Za-z]/.test(a)&&a.replace(/.*(?=#[^\s]*$)/,""));var m=a&&d(a);return m&&m.length?m:l.parent()}function c(a){a&&3===a.which||(d(j).remove(),d(f).each(function(){var m=d(this),l=h(m),e={relatedTarget:this};l.hasClass("open")&&(a&&"click"==a.type&&/input|textarea/i.test(a.target.tagName)&&d.contains(l[0],a.target)||(l.trigger(a=d.Event("hide.bs.dropdown",e)),a.isDefaultPrevented()||(m.attr("aria-expanded","false"),l.removeClass("open").trigger(d.Event("hidden.bs.dropdown",e)))))}))}function k(a){return this.each(function(){var e=d(this),l=e.data("bs.dropdown");l||e.data("bs.dropdown",l=new b(this)),"string"==typeof a&&l[a].call(e)})}var j=".dropdown-backdrop",f='[data-toggle="dropdown"]',b=function(a){d(a).on("click.bs.dropdown",this.toggle)};b.VERSION="3.3.7",b.prototype.toggle=function(q){var p=d(this);if(!p.is(".disabled, :disabled")){var l=h(p),e=l.hasClass("open");if(c(),!e){"ontouchstart" in document.documentElement&&!l.closest(".navbar-nav").length&&d(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(d(this)).on("click",c);var m={relatedTarget:this};if(l.trigger(q=d.Event("show.bs.dropdown",m)),q.isDefaultPrevented()){return}p.trigger("focus").attr("aria-expanded","true"),l.toggleClass("open").trigger(d.Event("shown.bs.dropdown",m))}return !1}},b.prototype.keydown=function(p){if(/(38|40|27|32)/.test(p.which)&&!/input|textarea/i.test(p.target.tagName)){var u=d(this);if(p.preventDefault(),p.stopPropagation(),!u.is(".disabled, :disabled")){var t=h(u),m=t.hasClass("open");if(!m&&27!=p.which||m&&27==p.which){return 27==p.which&&t.find(f).trigger("focus"),u.trigger("click")}var q=" li:not(.disabled):visible a",s=t.find(".dropdown-menu"+q);if(s.length){var e=s.index(p.target);38==p.which&&e>0&&e--,40==p.which&&e<s.length-1&&e++,~e||(e=0),s.eq(e).trigger("focus")}}}};var g=d.fn.dropdown;d.fn.dropdown=k,d.fn.dropdown.Constructor=b,d.fn.dropdown.noConflict=function(){return d.fn.dropdown=g,this},d(document).on("click.bs.dropdown.data-api",c).on("click.bs.dropdown.data-api",".dropdown form",function(a){a.stopPropagation()}).on("click.bs.dropdown.data-api",f,b.prototype.toggle).on("keydown.bs.dropdown.data-api",f,b.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",b.prototype.keydown)}(jQuery),+function(b){function c(f,g){return this.each(function(){var j=b(this),h=j.data("bs.modal"),e=b.extend({},a.DEFAULTS,j.data(),"object"==typeof f&&f);h||j.data("bs.modal",h=new a(this,e)),"string"==typeof f?h[f](g):e.show&&h.show(g)})}var a=function(g,f){this.options=f,this.$body=b(document.body),this.$element=b(g),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,b.proxy(function(){this.$element.trigger("loaded.bs.modal")},this))};a.VERSION="3.3.7",a.TRANSITION_DURATION=300,a.BACKDROP_TRANSITION_DURATION=150,a.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},a.prototype.toggle=function(e){return this.isShown?this.hide():this.show(e)},a.prototype.show=function(f){var h=this,g=b.Event("show.bs.modal",{relatedTarget:f});this.$element.trigger(g),this.isShown||g.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',b.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){h.$element.one("mouseup.dismiss.bs.modal",function(j){b(j.target).is(h.$element)&&(h.ignoreBackdropClick=!0)})}),this.backdrop(function(){var j=b.support.transition&&h.$element.hasClass("fade");h.$element.parent().length||h.$element.appendTo(h.$body),h.$element.show().scrollTop(0),h.adjustDialog(),j&&h.$element[0].offsetWidth,h.$element.addClass("in"),h.enforceFocus();var e=b.Event("shown.bs.modal",{relatedTarget:f});j?h.$dialog.one("bsTransitionEnd",function(){h.$element.trigger("focus").trigger(e)}).emulateTransitionEnd(a.TRANSITION_DURATION):h.$element.trigger("focus").trigger(e)}))},a.prototype.hide=function(f){f&&f.preventDefault(),f=b.Event("hide.bs.modal"),this.$element.trigger(f),this.isShown&&!f.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),b(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),b.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",b.proxy(this.hideModal,this)).emulateTransitionEnd(a.TRANSITION_DURATION):this.hideModal())},a.prototype.enforceFocus=function(){b(document).off("focusin.bs.modal").on("focusin.bs.modal",b.proxy(function(e){document===e.target||this.$element[0]===e.target||this.$element.has(e.target).length||this.$element.trigger("focus")},this))},a.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",b.proxy(function(e){27==e.which&&this.hide()},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal")},a.prototype.resize=function(){this.isShown?b(window).on("resize.bs.modal",b.proxy(this.handleUpdate,this)):b(window).off("resize.bs.modal")},a.prototype.hideModal=function(){var e=this;this.$element.hide(),this.backdrop(function(){e.$body.removeClass("modal-open"),e.resetAdjustments(),e.resetScrollbar(),e.$element.trigger("hidden.bs.modal")})},a.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null},a.prototype.backdrop=function(h){var k=this,j=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var g=b.support.transition&&j;if(this.$backdrop=b(document.createElement("div")).addClass("modal-backdrop "+j).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",b.proxy(function(e){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (e.target===e.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()))},this)),g&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!h){return}g?this.$backdrop.one("bsTransitionEnd",h).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):h()}else{if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var f=function(){k.removeBackdrop(),h&&h()};b.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",f).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):f()}else{h&&h()}}},a.prototype.handleUpdate=function(){this.adjustDialog()},a.prototype.adjustDialog=function(){var e=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&e?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!e?this.scrollbarWidth:""})},a.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""})},a.prototype.checkScrollbar=function(){var f=window.innerWidth;if(!f){var g=document.documentElement.getBoundingClientRect();f=g.right-Math.abs(g.left)}this.bodyIsOverflowing=document.body.clientWidth<f,this.scrollbarWidth=this.measureScrollbar()},a.prototype.setScrollbar=function(){var e=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",e+this.scrollbarWidth)},a.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad)},a.prototype.measureScrollbar=function(){var f=document.createElement("div");f.className="modal-scrollbar-measure",this.$body.append(f);var g=f.offsetWidth-f.clientWidth;return this.$body[0].removeChild(f),g};var d=b.fn.modal;b.fn.modal=c,b.fn.modal.Constructor=a,b.fn.modal.noConflict=function(){return b.fn.modal=d,this},b(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(f){var j=b(this),h=j.attr("href"),g=b(j.attr("data-target")||h&&h.replace(/.*(?=#[^\s]+$)/,"")),e=g.data("bs.modal")?"toggle":b.extend({remote:!/#/.test(h)&&h},g.data(),j.data());j.is("a")&&f.preventDefault(),g.one("show.bs.modal",function(k){k.isDefaultPrevented()||g.one("hidden.bs.modal",function(){j.is(":visible")&&j.trigger("focus")})}),c.call(g,e,this)})}(jQuery),+function(b){function c(h){var g,j=h.attr("data-target")||(g=h.attr("href"))&&g.replace(/.*(?=#[^\s]+$)/,"");return b(j)}function a(g){return this.each(function(){var e=b(this),j=e.data("bs.collapse"),h=b.extend({},f.DEFAULTS,e.data(),"object"==typeof g&&g);!j&&h.toggle&&/show|hide/.test(g)&&(h.toggle=!1),j||e.data("bs.collapse",j=new f(this,h)),"string"==typeof g&&j[g]()})}var f=function(h,g){this.$element=b(h),this.options=b.extend({},f.DEFAULTS,g),this.$trigger=b('[data-toggle="collapse"][href="#'+h.id+'"],[data-toggle="collapse"][data-target="#'+h.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle()};f.VERSION="3.3.7",f.TRANSITION_DURATION=350,f.DEFAULTS={toggle:!0},f.prototype.dimension=function(){var e=this.$element.hasClass("width");return e?"width":"height"},f.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var k,m=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(m&&m.length&&(k=m.data("bs.collapse"),k&&k.transitioning))){var h=b.Event("show.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){m&&m.length&&(a.call(m,"hide"),k||m.data("bs.collapse",null));var g=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[g](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var j=function(){this.$element.removeClass("collapsing").addClass("collapse in")[g](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!b.support.transition){return j.call(this)}var l=b.camelCase(["scroll",g].join("-"));this.$element.one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION)[g](this.$element[0][l])}}}},f.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var h=b.Event("hide.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){var g=this.dimension();this.$element[g](this.$element[g]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var j=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse")};return b.support.transition?void this.$element[g](0).one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION):j.call(this)}}},f.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()},f.prototype.getParent=function(){return b(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(b.proxy(function(e,h){var g=b(h);this.addAriaAndCollapsedClass(c(g),g)},this)).end()},f.prototype.addAriaAndCollapsedClass=function(h,j){var g=h.hasClass("in");h.attr("aria-expanded",g),j.toggleClass("collapsed",!g).attr("aria-expanded",g)};var d=b.fn.collapse;b.fn.collapse=a,b.fn.collapse.Constructor=f,b.fn.collapse.noConflict=function(){return b.fn.collapse=d,this},b(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(k){var j=b(this);j.attr("data-target")||k.preventDefault();var g=c(j),e=g.data("bs.collapse"),h=e?"toggle":j.data();a.call(g,h)})}(jQuery),+function(a){function b(){var d=document.createElement("bootstrap"),f={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in f){if(void 0!==d.style[c]){return{end:f[c]}}}return !1}a.fn.emulateTransitionEnd=function(d){var c=!1,g=this;a(this).one("bsTransitionEnd",function(){c=!0});var f=function(){c||a(g).trigger(a.support.transition.end)};return setTimeout(f,d),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(c){return a(c.target).is(this)?c.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery);function openRuleDetailsDialog(d){var a=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="false" title="Close">&#x274c;</button>');var b=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="false"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(b);var c=$("#rule-detail-"+d).clone();c.attr("id","");c.children(".panel-heading").append(a);a.css({"float":"right"});a.css({"margin-top":"-=23px"});$("#detail-modal-body").append(c);$("#detail-modal").on("hidden.bs.modal",function(f){$("#detail-modal").remove()});$("#detail-modal").modal();return false}function toggleRuleDisplay(b){var a=b.value;if(b.checked){$(".rule-overview-leaf-"+a).removeClass("rule-result-filtered");$(".rule-detail-"+a).removeClass("rule-result-filtered")}else{$(".rule-overview-leaf-"+a).addClass("rule-result-filtered");$(".rule-detail-"+a).addClass("rule-result-filtered")}stripeTreeTable()}function toggleResultDetails(b){var a=$("#result-details");if(a.is(":visible")){a.hide();$(b).html("Show all result details")}else{a.show();$(b).html("Hide all result details")}return false}function ruleSearchMatches(e,c){if(c.length==0){return true}var b=true;var d=e.children(".keywords").text().toLowerCase();var a;for(a=0;a<c.length;++a){if(d.indexOf(c[a].toLowerCase())<0){b=false;break}}return b}function ruleSearch(){var c=$("#search-input").val();var a=c.split(/[\s,\.;]+/);var b=0;$(".rule-detail").each(function(){var d=$(this).attr("id").substring(12);var e=$("#rule-overview-leaf-"+d);var f=$(this);if(ruleSearchMatches(f,a)){e.removeClass("search-no-match");f.removeClass("search-no-match");++b}else{e.addClass("search-no-match");f.addClass("search-no-match")}});if(!c){$("#search-matches").html("")}else{if(b>0){$("#search-matches").html(b.toString()+" rules match.")}else{$("#search-matches").html("No rules match your search criteria!")}}}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable()});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});is_original=true}}function newGroupLine(a,c){var b=24;if(a.length>b){a=a.substring(0,b-1)+"â¦"}return'<tr class="rule-overview-inner-node" data-tt-id="'+c+'"><td colspan="3"><small>'+a+"</small> = <strong>"+c+"</strong></td></tr>"}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(f,d){switch(d){case KeysEnum.SEVERITY:var b=f.children(".rule-severity").text();return[b];case KeysEnum.RESULT:var a=f.children(".rule-result").text();return[a];default:try{var c=JSON.parse(f.attr("data-references"))}catch(e){return["unknown"]}if(!c.hasOwnProperty(d)){return["unknown"]}return c[d]}}function sortGroups(a,b){switch(b){case KeysEnum.SEVERITY:return["high","medium","low"];case KeysEnum.RESULT:return a.sort();default:return a.sort(function(e,d){var f=e.split(/[.()-]/);var g=d.split(/[.()-]/);var c=0;var j=Math.min(f.length,g.length);var h=/^[1-9][0-9]*$/;for(i=0;i<j&&c==0;i++){if(f[i].match(h)==null||f[i].match(h)==null){c=f[i].localeCompare(g[i])}else{c=parseInt(f[i])-parseInt(g[i])}}if(c==0){c=f.length-g.length}return c})}}function groupRulesBy(c){resetTreetable();if(c==KeysEnum.DEFAULT){return}var b={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var j=$(this).attr("data-tt-id");var g=getTargetGroupsList($(this),c);for(i=0;i<g.length;i++){var e=g[i];if(!b.hasOwnProperty(e)){b[e]=[newGroupLine(c,e)]}var h=$(this).clone();h.attr("data-tt-id",j+"copy"+i);h.attr("data-tt-parent-id",e);var f=h.wrap("<div>").parent().html();b[e].push(f)}});$(".treetable").remove();var a=sortGroups(Object.keys(b),c);var d="";for(i=0;i<a.length;i++){d+=b[a[i]].join("\n")}new_table='<table class="treetable table table-bordered"><thead><tr><th>Group</th> <th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody>'+d+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable()}function stripeTreeTable(){var a=$(".rule-overview-leaf:not(.rule-result-filtered)");var b=false;$(a).each(function(){$(this).css("background-color",b?"#F9F9F9":"inherit");b=!b})};</script></head><body><nav class="navbar navbar-default"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</h2><blockquote>with profile <mark>Australian Cyber Security Centre (ACSC) ISM Official</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configuration checks for Red Hat Enterprise Linux 9
>that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
>with the applicability marking of OFFICIAL.
>
>The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning 
>Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls 
>specific to an organisation's security posture and risk profile.
>
>A copy of the ISM can be found at the ACSC website:
>
>https://www.cyber.gov.au/ism</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br>
>
>    <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>
></div><div class="description">This guide presents a catalog of security-relevant
>configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
>content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
>in order to support security automation.  The SCAP content is
>is available in the <code>scap-security-guide</code> package which is developed at
>
>    <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>.
><br><br>
>Providing system administrators with such guidance informs them how to securely
>configure systems under their control in a variety of network roles. Policy
>makers and baseline creators can use this catalog of settings, with its
>associated references to higher-level security control catalogs, in order to
>assist them in security baseline creation. This guide is a <em>catalog, not a
>checklist</em>, and satisfaction of every item is not likely to be possible or
>sensible in many operational scenarios. However, the XCCDF format enables
>granular selection and adjustment of settings, and their association with OVAL
>and OCIL content provides an automated checking capability. Transformations of
>this document, and its associated automated checking content, are capable of
>providing baselines that meet a diverse set of policy objectives. Some example
>XCCDF <em>Profiles</em>, which are selections of items that form checklists and
>can be used as baselines, are available with this guide. They can be
>processed, in an automated fashion, with tools that support the Security
>Content Automation Protocol (SCAP). The DISA STIG, which provides required
>settings for US Department of Defense systems, is one example of a baseline
>created from this guidance.
></div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in
>this guide without first testing them in a non-operational environment. The
>creators of this guidance assume no responsibility whatsoever for its use by
>other parties, and makes no guarantees, expressed or implied, about its
>quality, reliability, or any other characteristic.
></div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td></tr><tr><th>Benchmark URL</th><td>#scap_org.open-scap_comp_ssg-rhel9-xccdf.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-9</td></tr><tr><th>Benchmark version</th><td>0.1.66</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr><tr><th>Started at</th><td>2023-07-18T12:27:24+10:00</td></tr><tr><th>Finished at</th><td>2023-07-18T12:28:10+10:00</td></tr><tr><th>Performed by</th><td>quickcluster</td></tr><tr><th>Test system</th><td>cpe:/a:redhat:openscap:1.3.7</td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:9 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span>
>                            Â 127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span>
>                            Â 10.0.88.46</li><li class="list-group-item"><span class="label label-info">IPv6</span>
>                            Â 0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span>
>                            Â 2620:52:0:58:f816:3eff:fe08:c2fe</li><li class="list-group-item"><span class="label label-info">IPv6</span>
>                            Â fe80:0:0:0:f816:3eff:fe08:c2fe</li><li class="list-group-item"><span class="label label-default">MAC</span>
>                            Â 00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span>
>                            Â FA:16:3E:08:C2:FE</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 82 rules!</strong>
>                    Please review rule results and consider applying remediation.
>                </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were $not_ignored_rules_count rules taken into account."><div class="progress-bar progress-bar-success" style="width: 42.0689655172414%">61 passed
>                    </div><div class="progress-bar progress-bar-danger" style="width: 56.551724137931%">82 failed
>                    </div><div class="progress-bar progress-bar-warning" style="width: 1.379310344827589%">2 other
>                    </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 82 total failed rules."><div class="progress-bar progress-bar-success" style="width: 0%">0 other
>                </div><div class="progress-bar progress-bar-info" style="width: 4.878048780487805%">4 low
>                </div><div class="progress-bar progress-bar-warning" style="width: 87.8048780487805%">72 medium
>                </div><div class="progress-bar progress-bar-danger" style="width: 7.317073170731707%">6 high
>                </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">62.740814</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 62.740814%">62.74%</div><div class="progress-bar progress-bar-danger" style="width: 37.259186%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass">pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed">fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational">informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail">fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error">error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown">unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked">notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable">notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p>
>                    Group rules by:
>                    <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="ANSSI">ANSSI</option><option value="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</option><option value="https://public.cyber.mil/stigs/cci/">https://public.cyber.mil/stigs/cci/</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os</option><option value="https://www.cisecurity.org/benchmark/red_hat_linux/">https://www.cisecurity.org/benchmark/red_hat_linux/</option><option value="https://www.cisecurity.org/controls/">https://www.cisecurity.org/controls/</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu</option><option value="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat</option><option value="https://www.isaca.org/resources/cobit">https://www.isaca.org/resources/cobit</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-9" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</strong>Â <span class="badge">82x fail</span>Â <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong>Â <span class="badge">62x fail</span>Â <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong>Â <span class="badge">9x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System and Software Integrity</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Software Integrity Checking</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rpm_verification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px"><strong>Verify Integrity with RPM</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-overview-leaf-idm46361753259424" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(c)","SI-7","SI-7(1)","SI-7(6)","AU-9(3)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753259424" onclick="return openRuleDetailsDialog('idm46361753259424')">Verify File Hashes with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-overview-leaf-idm46361753255456" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(c)","SI-7","SI-7(1)","SI-7(6)","AU-9(3)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5","PR.IP-1","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001494","CCI-001496"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098","SRG-OS-000278-GPOS-00108"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.15"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5","6","9"],"FBI CJIS":["5.10.4.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 5.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.3.7.3","4.3.4.3.2","4.3.4.3.3","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","BAI03.05","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.04","DSS05.07","DSS06.02","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.5.1","A.12.6.2","A.12.7.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-003-8 R6","CIP-007-3 R4","CIP-007-3 R4.1","CIP-007-3 R4.2"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753255456" onclick="return openRuleDetailsDialog('idm46361753255456')">Verify and Correct Ownership with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753251488" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(c)","SI-7","SI-7(1)","SI-7(6)","AU-9(3)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5","PR.IP-1","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001493","CCI-001494","CCI-001495","CCI-001496"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098","SRG-OS-000258-GPOS-00099","SRG-OS-000278-GPOS-00108"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.15"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5","6","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 5.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.3.7.3","4.3.4.3.2","4.3.4.3.3","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","BAI03.05","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.04","DSS05.07","DSS06.02","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.5.1","A.12.6.2","A.12.7.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-003-8 R6","CIP-007-3 R4","CIP-007-3 R4.1","CIP-007-3 R4.2"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753251488" onclick="return openRuleDetailsDialog('idm46361753251488')">Verify and Correct File Permissions with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px"><strong>Verify Integrity with AIDE</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753247504" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"":["1034","1288","1341","1417"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-002696","CCI-002699","CCI-001744"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.3.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753247504" onclick="return openRuleDetailsDialog('idm46361753247504')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Federal Information Processing Standard (FIPS)</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_fips_mode" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753213824" data-tt-parent-id="xccdf_org.ssgproject.content_group_fips" data-references='{"":["1446","SRG-OS-000120-VMM-000600","SRG-OS-000478-VMM-001980","SRG-OS-000396-VMM-001590"],"NIST SP 800-53":["CM-3(6)","SC-12(2)","SC-12(3)","IA-7","SC-13","CM-6(a)","SC-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000068","CCI-000803","CCI-002450"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000478-GPOS-00223","SRG-OS-000396-GPOS-00176"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_COP.1(1)","FCS_COP.1(2)","FCS_COP.1(3)","FCS_COP.1(4)","FCS_CKM.1","FCS_CKM.2","FCS_TLSC_EXT.1","FCS_RBG_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361753213824" onclick="return openRuleDetailsDialog('idm46361753213824')">Enable FIPS Mode</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_crypto" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>System Cryptographic Policies</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753198848" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"":["1446"],"NIST SP 800-53":["AC-17(a)","AC-17(2)","CM-6(a)","MA-4(6)","SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000396-GPOS-00176","SRG-OS-000393-GPOS-00173","SRG-OS-000394-GPOS-00174"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.10"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1","CIP-007-3 R7.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_COP.1(1)","FCS_COP.1(2)","FCS_COP.1(3)","FCS_COP.1(4)","FCS_CKM.1","FCS_CKM.2","FCS_TLSC_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361753198848" onclick="return openRuleDetailsDialog('idm46361753198848')">Configure System Cryptography Policy</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="rule-overview-leaf-idm46361753180512" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["AC-17(a)","AC-17(2)","CM-6(a)","MA-4(6)","SC-13"],"https://public.cyber.mil/stigs/cci/":["CCI-001453"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000250-GPOS-00093"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.14"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1","CIP-007-3 R7.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_SSH_EXT.1","FCS_SSHS_EXT.1","FCS_SSHC_EXT.1"],"PCI-DSS Requirement":["Req-2.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361753180512" onclick="return openRuleDetailsDialog('idm46361753180512')">Configure SSH to use System Crypto Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Sudo</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sudo_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-overview-leaf-idm46361753037232" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["1382","1384","1386"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R19)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.3.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-10.2.1.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753037232" onclick="return openRuleDetailsDialog('idm46361753037232')">Install sudo Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-overview-leaf-idm46361753022496" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753022496" onclick="return openRuleDetailsDialog('idm46361753022496')">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753018496" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753018496" onclick="return openRuleDetailsDialog('idm46361753018496')">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_require_authentication" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753014528" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"NIST SP 800-53":["IA-11","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.3.4"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753014528" onclick="return openRuleDetailsDialog('idm46361753014528')">Ensure Users Re-Authenticate for Privilege Escalation - sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System Tooling / Utilities</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rear_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752980784" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm46361752980784" onclick="return openRuleDetailsDialog('idm46361752980784')">Install rear Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong>Â <span class="badge">2x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752945632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752945632" onclick="return openRuleDetailsDialog('idm46361752945632')">Configure dnf-automatic to Install Only Security Updates</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm46361752941632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.2"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752941632" onclick="return openRuleDetailsDialog('idm46361752941632')">Ensure gpgcheck Enabled In Main dnf Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752937632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-11(a)","CM-11(b)","CM-6(a)","CM-5(3)","SA-12","SA-12(10)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752937632" onclick="return openRuleDetailsDialog('idm46361752937632')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-overview-leaf-idm46361752933632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752933632" onclick="return openRuleDetailsDialog('idm46361752933632')">Ensure gpgcheck Enabled for All dnf Package Repositories</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-overview-leaf-idm46361752929632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.1"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-003-8 R6","CIP-007-3 R4","CIP-007-3 R4.1","CIP-007-3 R4.2","CIP-007-3 R5.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752929632" onclick="return openRuleDetailsDialog('idm46361752929632')">Ensure Red Hat GPG Key Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idm46361752925632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-53":["SI-2(5)","SI-2(c)","CM-6(a)"],"ANSSI":["BP28(R08)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.RA-1","PR.IP-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.9"],"https://www.cisecurity.org/controls/":["18","20","4"],"FBI CJIS":["5.10.4.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3","4.2.3.12","4.2.3.7","4.2.3.9"],"https://www.isaca.org/resources/cobit":["APO12.01","APO12.02","APO12.03","APO12.04","BAI03.10","DSS05.01","DSS05.02"],"ISO 27001-2013":["A.12.6.1","A.14.2.3","A.16.1.3","A.18.2.2","A.18.2.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752925632" onclick="return openRuleDetailsDialog('idm46361752925632')">Ensure Software Patches Installed</a>
>                ()
>            </td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Account and Access Control</strong>Â <span class="badge">10x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Configuring PAM</strong>Â <span class="badge">6x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px"><strong>Set Lockouts for Failed Password Attempts</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752843360" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.2","5.5.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752843360" onclick="return openRuleDetailsDialog('idm46361752843360')">Lock Accounts After Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752838496" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-53":["CM-6(a)","AC-7(b)","IA-5(c)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238","CCI-000044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752838496" onclick="return openRuleDetailsDialog('idm46361752838496')">Configure the root Account for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752829680" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752829680" onclick="return openRuleDetailsDialog('idm46361752829680')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752822064" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000329-VMM-001180"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(b)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752822064" onclick="return openRuleDetailsDialog('idm46361752822064')">Set Lockout Time for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px"><strong>Set Password Quality Requirements</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px"><strong>Set Password Quality Requirements with pam_pwquality</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752793456" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000072-VMM-000390","SRG-OS-000078-VMM-000450"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361752793456" onclick="return openRuleDetailsDialog('idm46361752793456')">Ensure PAM Enforces Password Requirements - Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_display_login_attempts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752871760" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-53":["AC-9","AC-9(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000052"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.2"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-10.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752871760" onclick="return openRuleDetailsDialog('idm46361752871760')">Ensure PAM Displays Last Logon/Access Notification</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Physical Console Access<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-physical");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_emergency_target_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_emergency_target_auth" id="rule-overview-leaf-idm46361752747952" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2","AC-3","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752747952" onclick="return openRuleDetailsDialog('idm46361752747952')">Require Authentication for Emergency Systemd Target</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-overview-leaf-idm46361752743952" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2","AC-3","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752743952" onclick="return openRuleDetailsDialog('idm46361752743952')">Require Authentication for Single User Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Restricting Password-Based Login</strong>Â <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Password Expiration Parameters</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752689296" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000076-GPOS-00044"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.1.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752689296" onclick="return openRuleDetailsDialog('idm46361752689296')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752684448" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000198"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000075-GPOS-00043"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.1.2"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.3.9"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752684448" onclick="return openRuleDetailsDialog('idm46361752684448')">Set Password Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" id="rule-overview-leaf-idm46361752671456" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.1.3"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.3.9"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752671456" onclick="return openRuleDetailsDialog('idm46361752671456')">Set Password Warning Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Verify Proper Storage and Existence of Password
>Hashes</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" id="rule-overview-leaf-idm46361752666576" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"":["1410"],"NIST SP 800-171":["3.5.10"],"NIST SP 800-53":["IA-5(h)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.2.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.5.2"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752666576" onclick="return openRuleDetailsDialog('idm46361752666576')">Verify All Account Password Hashes are Shadowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752651744" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["IA-5(1)(a)","IA-5(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752651744" onclick="return openRuleDetailsDialog('idm46361752651744')">Prevent Login to Accounts With Empty Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-overview-leaf-idm46361752634272" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["IA-2","AC-6(5)","IA-4(b)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.2.9"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752634272" onclick="return openRuleDetailsDialog('idm46361752634272')">Verify Only Root Has UID 0</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="rule-overview-leaf-idm46361752622816" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"":["1491"],"NIST SP 800-53":["AC-6","CM-6(a)","CM-6(b)","CM-6.1(iv)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.2"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS06.03"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.6.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752622816" onclick="return openRuleDetailsDialog('idm46361752622816')">Ensure that System Accounts Do Not Run a Shell Upon Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_authselect" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752918272" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts" data-references='{"NIST SP 800-53":["AC-3"],"ANSSI":["BP28(R5)"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.1"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1","FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361752918272" onclick="return openRuleDetailsDialog('idm46361752918272')">Enable authselect</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>System Accounting with auditd</strong>Â <span class="badge">27x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure auditd Rules for Comprehensive Auditing</strong>Â <span class="badge">24x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_dac_actions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Events that Modify the System's Discretionary Access Controls</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752435232" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"":["SRG-OS-000458-VMM-001810","SRG-OS-000474-VMM-001940"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000064-GPOS-00033","SRG-OS-000466-GPOS-00210","SRG-OS-000458-GPOS-00203"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.9"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752435232" onclick="return openRuleDetailsDialog('idm46361752435232')">Record Events that Modify the System's Discretionary Access Controls - chmod</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752431232" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"":["SRG-OS-000458-VMM-001810","SRG-OS-000474-VMM-001940"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000064-GPOS-00033","SRG-OS-000466-GPOS-00210","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.9"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752431232" onclick="return openRuleDetailsDialog('idm46361752431232')">Record Events that Modify the System's Discretionary Access Controls - chown</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Execution Attempts to Run SELinux Privileged Commands</strong>Â <span class="badge">6x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752386592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000468-GPOS-00212","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.15"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752386592" onclick="return openRuleDetailsDialog('idm46361752386592')">Record Any Attempts to Run chcon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752382592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752382592" onclick="return openRuleDetailsDialog('idm46361752382592')">Record Any Attempts to Run restorecon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752378592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.2","CIP-004-6 R2.2.3","CIP-007-3 R.1.3","CIP-007-3 R5","CIP-007-3 R5.1.1","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752378592" onclick="return openRuleDetailsDialog('idm46361752378592')">Record Any Attempts to Run semanage</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752374592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752374592" onclick="return openRuleDetailsDialog('idm46361752374592')">Record Any Attempts to Run setfiles</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752370592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752370592" onclick="return openRuleDetailsDialog('idm46361752370592')">Record Any Attempts to Run setsebool</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752366592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000172"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752366592" onclick="return openRuleDetailsDialog('idm46361752366592')">Record Any Attempts to Run seunshare</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_file_modification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_file_modification" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Unauthorized Access Attempts Events to Files (unsuccessful)</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752285856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_modification" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752285856" onclick="return openRuleDetailsDialog('idm46361752285856')">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Information on Kernel Modules Loading and Unloading</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752202864" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752202864" onclick="return openRuleDetailsDialog('idm46361752202864')">Ensure auditd Collects Information on Kernel Module Loading and Unloading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Attempts to Alter Logon and Logout Events</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752190704" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752190704" onclick="return openRuleDetailsDialog('idm46361752190704')">Record Attempts to Alter Logon and Logout Events</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752186720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"":["SRG-OS-000473-VMM-001930","SRG-OS-000470-VMM-001900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.12"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752186720" onclick="return openRuleDetailsDialog('idm46361752186720')">Record Attempts to Alter Logon and Logout Events - faillock</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752182720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"":["SRG-OS-000473-VMM-001930","SRG-OS-000470-VMM-001900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000473-GPOS-00218","SRG-OS-000470-GPOS-00214"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.12"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752182720" onclick="return openRuleDetailsDialog('idm46361752182720')">Record Attempts to Alter Logon and Logout Events - lastlog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752178720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"":["SRG-OS-000473-VMM-001930","SRG-OS-000470-VMM-001900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884","CCI-000126"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752178720" onclick="return openRuleDetailsDialog('idm46361752178720')">Record Attempts to Alter Logon and Logout Events - tallylog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_privileged_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Information on the Use of Privileged Commands</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752163904" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"":["0582","0584","05885","0586","0846","0957","SRG-OS-000471-VMM-001910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-2","DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","DE.DP-4","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4","RS.CO-2"],"https://public.cyber.mil/stigs/cci/":["CCI-002234"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000327-GPOS-00127"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.6"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 3.9","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.5","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.3.4.5.9","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO08.04","APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.05","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.1","A.16.1.2","A.16.1.3","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.3","A.6.2.1","A.6.2.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.2","CIP-004-6 R2.2.3","CIP-007-3 R.1.3","CIP-007-3 R5","CIP-007-3 R5.1.1","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3"],"PCI-DSS Requirement":["Req-10.2.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752163904" onclick="return openRuleDetailsDialog('idm46361752163904')">Ensure auditd Collects Information on the Use of Privileged Commands</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_time_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_time_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Records Events that Modify Date and Time Information</strong>Â <span class="badge">5x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752091856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752091856" onclick="return openRuleDetailsDialog('idm46361752091856')">Record attempts to alter time through adjtimex</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752087856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752087856" onclick="return openRuleDetailsDialog('idm46361752087856')">Record Attempts to Alter Time Through clock_settime</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752083856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752083856" onclick="return openRuleDetailsDialog('idm46361752083856')">Record attempts to alter time through settimeofday</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752079856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752079856" onclick="return openRuleDetailsDialog('idm46361752079856')">Record Attempts to Alter Time Through stime</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752075872" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752075872" onclick="return openRuleDetailsDialog('idm46361752075872')">Record Attempts to Alter the localtime File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752504752" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.5"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752504752" onclick="return openRuleDetailsDialog('idm46361752504752')">Record Events that Modify the System's Network Environment</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_session_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752500736" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.11"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752500736" onclick="return openRuleDetailsDialog('idm46361752500736')">Record Attempts to Alter Process and Session Initiation Information</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752488656" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000462-VMM-001840","SRG-OS-000471-VMM-001910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(7)(b)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-1","PR.AC-3","PR.AC-4","PR.AC-6","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000004-GPOS-00004","SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000304-GPOS-00121","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000470-GPOS-00214","SRG-OS-000471-GPOS-00215","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000304-GPOS-00121","SRG-OS-000466-GPOS-00210","SRG-OS-000476-GPOS-00221"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.2.2","4.3.3.3.9","4.3.3.5.1","4.3.3.5.2","4.3.3.5.8","4.3.3.6.6","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS06.03","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.2","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.1.5","Req-10.2.2","Req-10.2.5.b"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752488656" onclick="return openRuleDetailsDialog('idm46361752488656')">Ensure auditd Collects System Administrator Actions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752481952" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-1","PR.AC-3","PR.AC-4","PR.AC-6","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000018","CCI-000130","CCI-000172","CCI-001403","CCI-002130"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000004-GPOS-00004","SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000239-GPOS-00089","SRG-OS-000241-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000476-GPOS-00221"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.2.2","4.3.3.3.9","4.3.3.5.1","4.3.3.5.2","4.3.3.5.8","4.3.3.6.6","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS06.03","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.2","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.2","CIP-004-6 R2.2.3","CIP-007-3 R.1.3","CIP-007-3 R5","CIP-007-3 R5.1.1","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752481952" onclick="return openRuleDetailsDialog('idm46361752481952')">Record Events that Modify User/Group Information</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure auditd Data Retention</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-overview-leaf-idm46361752036624" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-11","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001576"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.3","CIP-004-6 R3.3","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3","CIP-007-3 R6.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752036624" onclick="return openRuleDetailsDialog('idm46361752036624')">Configure auditd flush priority</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_freq" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_freq" id="rule-overview-leaf-idm46361752012816" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000051-GPOS-00024"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752012816" onclick="return openRuleDetailsDialog('idm46361752012816')">Set number of records to cause an explicit flush to audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_local_events" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_local_events" id="rule-overview-leaf-idm46361752008848" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000062-GPOS-00031","SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752008848" onclick="return openRuleDetailsDialog('idm46361752008848')">Include Local Events in Audit Logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_log_format" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_log_format" id="rule-overview-leaf-idm46361752004880" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6","AU-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000255-GPOS-00096","SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752004880" onclick="return openRuleDetailsDialog('idm46361752004880')">Resolve information before writing to audit logs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_name_format" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752000912" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6","AU-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001851"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000039-GPOS-00017","SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752000912" onclick="return openRuleDetailsDialog('idm46361752000912')">Set hostname as computer node name in audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_write_logs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_write_logs" id="rule-overview-leaf-idm46361751994240" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_STG.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751994240" onclick="return openRuleDetailsDialog('idm46361751994240')">Write Audit Logs to the Disk</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_policy_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_policy_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>System Accounting with auditd</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_access_failed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751990272" data-tt-parent-id="xccdf_org.ssgproject.content_group_policy_rules" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-53":["AU-2(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219","SRG-OS-000475-GPOS-00220","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209","SRG-OS-000461-GPOS-00205"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751990272" onclick="return openRuleDetailsDialog('idm46361751990272')">Configure auditing of unsuccessful file accesses</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_access_success" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751980896" data-tt-parent-id="xccdf_org.ssgproject.content_group_policy_rules" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-53":["AU-2(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219","SRG-OS-000475-GPOS-00220","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209","SRG-OS-000461-GPOS-00205"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751980896" onclick="return openRuleDetailsDialog('idm46361751980896')">Configure auditing of successful file accesses</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Configure Syslog</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Ensure Proper Configuration of Log Files</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-overview-leaf-idm46361751554064" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751554064" onclick="return openRuleDetailsDialog('idm46361751554064')">Ensure cron Is Logging To Rsyslog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-overview-leaf-idm46361751541920" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751541920" onclick="return openRuleDetailsDialog('idm46361751541920')">Ensure Log Files Are Owned By Appropriate Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-overview-leaf-idm46361751537920" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751537920" onclick="return openRuleDetailsDialog('idm46361751537920')">Ensure Log Files Are Owned By Appropriate User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751533936" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.3"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751533936" onclick="return openRuleDetailsDialog('idm46361751533936')">Ensure System Log Files Have Correct Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Configure rsyslogd to Accept Remote Messages If Acting as a Log Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-overview-leaf-idm46361751503424" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.IP-1","PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000366","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.7"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.3.9","4.3.3.4","4.3.3.5.8","4.3.4.3.2","4.3.4.3.3","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.5.1","A.12.6.2","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751503424" onclick="return openRuleDetailsDialog('idm46361751503424')">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Rsyslog Logs Sent To Remote Host</strong>Â <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751499456" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405","SRG-OS-000032-VMM-000130"],"NIST SP 800-53":["CM-6(a)","AU-4(1)","AU-9(2)"],"ANSSI":["BP28(R7)","NT28(R43)","NT12(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001348","CCI-000136","CCI-001851"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000480-GPOS-00227","SRG-OS-000342-GPOS-00133"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.6"],"https://www.cisecurity.org/controls/":["1","13","14","15","16","2","3","5","6"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 7.1","SR 7.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.17.2.1"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.2","CIP-004-6 R3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751499456" onclick="return openRuleDetailsDialog('idm46361751499456')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751495472" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"NIST SP 800-53":["AU-9(3)","CM-6(a)"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1","FTP_ITC_EXT.1.1","FIA_X509_EXT.1.1","FMT_SMF_EXT.1.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751495472" onclick="return openRuleDetailsDialog('idm46361751495472')">Configure TLS for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751491504" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751491504" onclick="return openRuleDetailsDialog('idm46361751491504')">Configure CA certificate for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-overview-leaf-idm46361751562048" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000051-GPOS-00024","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.1"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751562048" onclick="return openRuleDetailsDialog('idm46361751562048')">Ensure rsyslog is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-overview-leaf-idm46361751558048" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)","AU-4(1)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-001557","CCI-001851","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.2"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2","SR 7.1","SR 7.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO13.01","BAI03.05","BAI04.04","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2","A.17.2.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751558048" onclick="return openRuleDetailsDialog('idm46361751558048')">Enable rsyslog Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Network Configuration and Firewalls</strong>Â <span class="badge">4x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>firewalld</strong>Â <span class="badge">3x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_firewalld_activation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_firewalld_activation" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Inspect and Activate Default firewalld Rules</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_firewalld_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751474128" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"NIST SP 800-53":["CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-002314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115","SRG-OS-000298-GPOS-00116","SRG-OS-000480-GPOS-00227","SRG-OS-000480-GPOS-00232"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751474128" onclick="return openRuleDetailsDialog('idm46361751474128')">Install firewalld Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751470128" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"NIST SP 800-171":["3.1.3","3.4.7"],"NIST SP 800-53":["AC-4","CM-7(b)","CA-3(5)","SC-7(21)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000382","CCI-002314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115","SRG-OS-000480-GPOS-00227","SRG-OS-000480-GPOS-00231","SRG-OS-000480-GPOS-00232"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.4.1.2"],"https://www.cisecurity.org/controls/":["11","3","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4","CIP-003-8 R5","CIP-004-6 R3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751470128" onclick="return openRuleDetailsDialog('idm46361751470128')">Verify firewalld Enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ruleset_modifications" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Strengthen the Default Ruleset</strong>Â <span class="badge">1x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_firewalld_ports" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-overview-leaf-idm46361751466128" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"":["1416","SRG-OS-000096-VMM-000490","SRG-OS-000480-VMM-002000"],"NIST SP 800-53":["AC-4","CM-7(b)","CA-3(5)","SC-7(21)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000382","CCI-002314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.4.2.5"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751466128" onclick="return openRuleDetailsDialog('idm46361751466128')">Configure the Firewalld Ports</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751460080" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"":["1416","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.3","3.4.7","3.13.6"],"NIST SP 800-53":["CA-3(5)","CM-7(b)","SC-7(23)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.4.2.1"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"FBI CJIS":["5.10.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-1.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751460080" onclick="return openRuleDetailsDialog('idm46361751460080')">Set Default firewalld Zone for Incoming Packets</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Wireless Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-wireless");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-wireless"><td colspan="3" style="padding-left: 76px">Disable Wireless Through Software Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_wireless_software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-overview-leaf-idm46361751265264" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"":["1315","1319"],"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-18(a)","AC-18(3)","CM-7(a)","CM-7(b)","CM-6(a)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000085","CCI-002418","CCI-002421","CCI-001443","CCI-001444"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000299-GPOS-00117","SRG-OS-000300-GPOS-00118","SRG-OS-000424-GPOS-00188","SRG-OS-000481-GPOS-000481"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.2"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"],"PCI-DSS Requirement":["Req-1.3.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751265264" onclick="return openRuleDetailsDialog('idm46361751265264')">Deactivate Wireless Network Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_nmcli_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751484800" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-18(4)","CM-6(a)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751484800" onclick="return openRuleDetailsDialog('idm46361751484800')">Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-overview-leaf-idm46361751480800" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","CM-7(2)","MA-3"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.DP-5","ID.AM-1","PR.IP-1","PR.MA-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","11","14","3","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6","SR 7.8"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.3.7","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.4"],"https://www.isaca.org/resources/cobit":["APO11.06","APO12.06","BAI03.10","BAI09.01","BAI09.02","BAI09.03","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.05","DSS04.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.1.2","A.11.2.4","A.11.2.5","A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.16.1.6","A.8.1.1","A.8.1.2","A.9.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751480800" onclick="return openRuleDetailsDialog('idm46361751480800')">Ensure System is Not Acting as a Network Sniffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong>Â <span class="badge">8x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Verify Permissions on Important Files and
>Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-tt-parent-id="xccdf_org.ssgproject.content_group_files"><td colspan="3" style="padding-left: 76px">Verify File Permissions Within Some Important Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_permissions_within_important_dirs");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" id="rule-overview-leaf-idm46361751112512" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-5(6)","CM-5(6).1","CM-6(a)","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751112512" onclick="return openRuleDetailsDialog('idm46361751112512')">Verify that System Executables Have Root Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" id="rule-overview-leaf-idm46361751108512" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-5(6)","CM-5(6).1","CM-6(a)","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751108512" onclick="return openRuleDetailsDialog('idm46361751108512')">Verify that Shared Library Files Have Root Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" id="rule-overview-leaf-idm46361751101808" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-5(6)","CM-5(6).1","CM-6(a)","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751101808" onclick="return openRuleDetailsDialog('idm46361751101808')">Verify that System Executables Have Restrictive Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" id="rule-overview-leaf-idm46361751097808" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-6(a)","CM-5(6)","CM-5(6).1","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751097808" onclick="return openRuleDetailsDialog('idm46361751097808')">Verify that Shared Library Files Have Restrictive Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-overview-leaf-idm46361751259856" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001090"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000138-GPOS-00069"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.12"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751259856" onclick="return openRuleDetailsDialog('idm46361751259856')">Verify that All World-Writable Directories Have Sticky Bits Set</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-overview-leaf-idm46361751248384" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.14"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751248384" onclick="return openRuleDetailsDialog('idm46361751248384')">Ensure All SGID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-overview-leaf-idm46361751244384" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.13"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751244384" onclick="return openRuleDetailsDialog('idm46361751244384')">Ensure All SUID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-overview-leaf-idm46361751240384" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.9"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751240384" onclick="return openRuleDetailsDialog('idm46361751240384')">Ensure No World-Writable Files Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Partition Mount Options</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-overview-leaf-idm46361751054384" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.8.2"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751054384" onclick="return openRuleDetailsDialog('idm46361751054384')">Add nodev Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751050384" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.8.3"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751050384" onclick="return openRuleDetailsDialog('idm46361751050384')">Add noexec Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-overview-leaf-idm46361751046384" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.8.4"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751046384" onclick="return openRuleDetailsDialog('idm46361751046384')">Add nosuid Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Programs from Dangerous Execution Patterns</strong>Â <span class="badge">7x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Enable ExecShield</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-overview-leaf-idm46361750895808" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-39","CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002530"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00192"],"https://www.cisecurity.org/controls/":["12","15","8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361750895808" onclick="return openRuleDetailsDialog('idm46361750895808')">Enable ExecShield via sysctl</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750891808" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-53":["SC-30","SC-30(2)","SC-30(5)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-002824","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000433-GPOS-00192","SRG-OS-000480-GPOS-00227"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-002-5 R1.1","CIP-002-5 R1.2","CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 4.1","CIP-004-6 4.2","CIP-004-6 R2.2.3","CIP-004-6 R2.2.4","CIP-004-6 R2.3","CIP-004-6 R4","CIP-005-6 R1","CIP-005-6 R1.1","CIP-005-6 R1.2","CIP-007-3 R3","CIP-007-3 R3.1","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3","CIP-007-3 R8.4","CIP-009-6 R.1.1","CIP-009-6 R4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361750891808" onclick="return openRuleDetailsDialog('idm46361750891808')">Restrict Exposed Kernel Pointer Addresses Access</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750887808" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-30","SC-30(2)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-002824"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00193","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.5.3"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-002-5 R1.1","CIP-002-5 R1.2","CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 4.1","CIP-004-6 4.2","CIP-004-6 R2.2.3","CIP-004-6 R2.2.4","CIP-004-6 R2.3","CIP-004-6 R4","CIP-005-6 R1","CIP-005-6 R1.1","CIP-005-6 R1.2","CIP-007-3 R3","CIP-007-3 R3.1","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3","CIP-007-3 R8.4","CIP-009-6 R.1.1","CIP-009-6 R4"],"PCI-DSS Requirement":["Req-2.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361750887808" onclick="return openRuleDetailsDialog('idm46361750887808')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750956416" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-171":["3.1.5"],"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001090","CCI-001314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000138-GPOS-00069"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750956416" onclick="return openRuleDetailsDialog('idm46361750956416')">Restrict Access to Kernel Message Buffer</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750952416" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000366-GPOS-00153"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750952416" onclick="return openRuleDetailsDialog('idm46361750952416')">Disable Kernel Image Loading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750929488" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["AC-6","SC-7(10)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750929488" onclick="return openRuleDetailsDialog('idm46361750929488')">Disable Access to Network bpf() Syscall From Unprivileged Processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750922736" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["SC-7(10)"],"ANSSI":["BP28(R25)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750922736" onclick="return openRuleDetailsDialog('idm46361750922736')">Restrict usage of ptrace to descendant processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750918736" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["CM-6","SC-7(10)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750918736" onclick="return openRuleDetailsDialog('idm46361750918736')">Harden the operation of the BPF just-in-time compiler</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">SELinux<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_selinux");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux-booleans" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux-booleans" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux"><td colspan="3" style="padding-left: 57px">SELinux - Booleans<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_selinux-booleans");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" id="rule-overview-leaf-idm46361750830800" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-171":["80424-5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750830800" onclick="return openRuleDetailsDialog('idm46361750830800')">Enable the auditadm_exec_content SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm46361750846576" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.1.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.2","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-004-6 R3.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3","CIP-007-3 R6.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750846576" onclick="return openRuleDetailsDialog('idm46361750846576')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm46361750841776" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R4)","BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001084","CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199","SRG-OS-000134-GPOS-00068"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.1.5"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.2","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-004-6 R3.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3","CIP-007-3 R6.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750841776" onclick="return openRuleDetailsDialog('idm46361750841776')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><td colspan="3" style="padding-left: 19px"><strong>Services</strong>Â <span class="badge">20x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_avahi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_avahi" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Avahi Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_avahi");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disable_avahi_group" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disable_avahi_group" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi"><td colspan="3" style="padding-left: 57px">Disable Avahi Server if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disable_avahi_group");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" id="rule-overview-leaf-idm46361750221344" data-tt-parent-id="xccdf_org.ssgproject.content_group_disable_avahi_group" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.2"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750221344" onclick="return openRuleDetailsDialog('idm46361750221344')">Disable Avahi Server Software</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fapolicyd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fapolicyd" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Application Whitelisting Daemon</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750096816" data-tt-parent-id="xccdf_org.ssgproject.content_group_fapolicyd" data-references='{"NIST SP 800-53":["CM-6(a)","SI-4(22)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764","CCI-001774"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000370-GPOS-00155","SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00230"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750096816" onclick="return openRuleDetailsDialog('idm46361750096816')">Install fapolicyd Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750092816" data-tt-parent-id="xccdf_org.ssgproject.content_group_fapolicyd" data-references='{"NIST SP 800-53":["CM-6(a)","SI-4(22)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764","CCI-001774"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000370-GPOS-00155","SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00230"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750092816" onclick="return openRuleDetailsDialog('idm46361750092816')">Enable the File Access Policy Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_chrony_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-overview-leaf-idm46361749995776" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000355-GPOS-00143"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.1.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"],"PCI-DSS Requirement":["Req-10.6.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749995776" onclick="return openRuleDetailsDialog('idm46361749995776')">The Chrony package is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_enabled" id="rule-overview-leaf-idm46361749989744" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000355-GPOS-00143"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749989744" onclick="return openRuleDetailsDialog('idm46361749989744')">The Chronyd service is enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-overview-leaf-idm46361749967520" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AU-8(1)(a)"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/cci/":["CCI-000160","CCI-001891"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.1.2"],"PCI-DSS Requirement":["Req-10.4.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749967520" onclick="return openRuleDetailsDialog('idm46361749967520')">A remote time server for Chrony is configured</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Xinetd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_inetd_and_xinetd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xinetd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-overview-leaf-idm46361749954000" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000305"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749954000" onclick="return openRuleDetailsDialog('idm46361749954000')">Uninstall xinetd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled" id="rule-overview-leaf-idm46361749950016" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"NIST SP 800-171":["3.4.7"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000305"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749950016" onclick="return openRuleDetailsDialog('idm46361749950016')">Disable xinetd Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypbind_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-overview-leaf-idm46361749946032" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749946032" onclick="return openRuleDetailsDialog('idm46361749946032')">Remove NIS Client</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idm46361749936640" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749936640" onclick="return openRuleDetailsDialog('idm46361749936640')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-overview-leaf-idm46361749932640" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749932640" onclick="return openRuleDetailsDialog('idm46361749932640')">Uninstall rsh Package</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Chat/Messaging Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_talk");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-overview-leaf-idm46361749917888" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749917888" onclick="return openRuleDetailsDialog('idm46361749917888')">Uninstall talk-server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-overview-leaf-idm46361749913888" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749913888" onclick="return openRuleDetailsDialog('idm46361749913888')">Uninstall talk Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idm46361749909920" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.13"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"],"PCI-DSS Requirement":["Req-2.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749909920" onclick="return openRuleDetailsDialog('idm46361749909920')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-overview-leaf-idm46361749905920" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.3.1"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749905920" onclick="return openRuleDetailsDialog('idm46361749905920')">Remove telnet Clients</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled" id="rule-overview-leaf-idm46361749901936" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-171":["3.1.13","3.4.7"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-3","PR.AC-6","PR.AC-7","PR.IP-1","PR.PT-3","PR.PT-4"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","3","5","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.18.1.4","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749901936" onclick="return openRuleDetailsDialog('idm46361749901936')">Disable telnet Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_proxy" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_proxy" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Proxy Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_proxy");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_squid" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_squid" data-tt-parent-id="xccdf_org.ssgproject.content_group_proxy"><td colspan="3" style="padding-left: 57px">Disable Squid if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_squid");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_squid_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_squid_removed" id="rule-overview-leaf-idm46361749884480" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_squid" data-references='{"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749884480" onclick="return openRuleDetailsDialog('idm46361749884480')">Uninstall squid Package</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_squid_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_squid_disabled" id="rule-overview-leaf-idm46361749880512" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_squid" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm46361749880512" onclick="return openRuleDetailsDialog('idm46361749880512')">Disable Squid</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_routing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_routing" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Routing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_routing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_quagga" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_quagga" data-tt-parent-id="xccdf_org.ssgproject.content_group_routing"><td colspan="3" style="padding-left: 57px">Disable Quagga if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_quagga");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_quagga_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_quagga_removed" id="rule-overview-leaf-idm46361749871776" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_quagga" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749871776" onclick="return openRuleDetailsDialog('idm46361749871776')">Uninstall quagga Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SNMP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Disable SNMP Server if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_snmp_service");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_snmpd_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_snmpd_disabled" id="rule-overview-leaf-idm46361749855584" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" data-references='{"":["1311","SRG-OS-000480-VMM-002000"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749855584" onclick="return openRuleDetailsDialog('idm46361749855584')">Disable snmpd Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp_configure_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Configure SNMP Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp_configure_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" id="rule-overview-leaf-idm46361749849552" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp_configure_server" data-references='{"":["1311"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749849552" onclick="return openRuleDetailsDialog('idm46361749849552')">Configure SNMP Service to Use Only SNMPv3 or Newer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>SSH Server</strong>Â <span class="badge">15x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px"><strong>Configure OpenSSH Server if Necessary</strong>Â <span class="badge">15x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_host_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749804288" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00229"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.8"],"https://www.cisecurity.org/controls/":["11","12","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749804288" onclick="return openRuleDetailsDialog('idm46361749804288')">Disable Host-Based Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749799504" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["1416"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-6(b)","CM-7(a)","CM-7(b)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749799504" onclick="return openRuleDetailsDialog('idm46361749799504')">Enable SSH Server firewalld Firewall Exception</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-overview-leaf-idm46361749794688" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0487","1449","1506","SRG-OS-000033-VMM-000140"],"NIST SP 800-171":["3.1.13","3.5.4"],"NIST SP 800-53":["CM-6(a)","AC-17(a)","AC-17(2)","IA-5(1)(c)","SC-13","MA-4(6)"],"ANSSI":["NT007(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-3","PR.AC-6","PR.AC-7","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000197","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000074-GPOS-00042","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","15","16","5","8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.6","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS01.04","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.11.2.6","A.13.1.1","A.13.2.1","A.14.1.3","A.18.1.4","A.6.2.1","A.6.2.2","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1","CIP-007-3 R7.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749794688" onclick="return openRuleDetailsDialog('idm46361749794688')">Allow Only SSH Protocol 2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749787168" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["NT007(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.DS-5","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000766"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000106-GPOS-00053","SRG-OS-000480-GPOS-00229","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.9"],"https://www.cisecurity.org/controls/":["11","12","13","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749787168" onclick="return openRuleDetailsDialog('idm46361749787168')">Disable SSH Access via Empty Passwords</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749782352" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0418","1055","1402","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-17(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000364-GPOS-00151","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1","FCS_SSH_EXT.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749782352" onclick="return openRuleDetailsDialog('idm46361749782352')">Disable GSSAPI Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749777552" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000364-GPOS-00151","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1","FCS_SSH_EXT.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749777552" onclick="return openRuleDetailsDialog('idm46361749777552')">Disable Kerberos Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749770688" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000107-VMM-000530"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.11"],"https://www.cisecurity.org/controls/":["11","12","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749770688" onclick="return openRuleDetailsDialog('idm46361749770688')">Disable SSH Support for .rhosts Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749763200" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6(2)","AC-17(a)","IA-2","IA-2(5)","CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R19)","NT007(R21)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000770"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000109-GPOS-00056","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.7"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749763200" onclick="return openRuleDetailsDialog('idm46361749763200')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749753632" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749753632" onclick="return openRuleDetailsDialog('idm46361749753632')">Disable SSH Support for User Known Hosts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749748816" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-53":["CM-6(b)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749748816" onclick="return openRuleDetailsDialog('idm46361749748816')">Disable X11 Forwarding</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749744000" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00229"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.10"],"https://www.cisecurity.org/controls/":["11","3","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749744000" onclick="return openRuleDetailsDialog('idm46361749744000')">Do Not Allow SSH Environment Options</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749731728" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6","AC-17(a)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749731728" onclick="return openRuleDetailsDialog('idm46361749731728')">Enable Use of Strict Mode Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749726928" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000023-VMM-000060","SRG-OS-000024-VMM-000070"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(c)","AC-17(a)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000048","CCI-000050","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000023-GPOS-00006","SRG-OS-000228-GPOS-00088"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.15"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTA_TAB.1"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749726928" onclick="return openRuleDetailsDialog('idm46361749726928')">Enable SSH Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749715280" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-53":["AC-9","AC-9(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000052"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749715280" onclick="return openRuleDetailsDialog('idm46361749715280')">Enable SSH Print Last Log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749705104" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-53":["AC-17(a)","CM-6(a)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749705104" onclick="return openRuleDetailsDialog('idm46361749705104')">Set LogLevel to INFO</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749697600" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.16"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749697600" onclick="return openRuleDetailsDialog('idm46361749697600')">Set SSH authentication attempt limit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration" id="rule-overview-leaf-idm46361749686576" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm46361749686576" onclick="return openRuleDetailsDialog('idm46361749686576')">Distribute the SSH Server configuration to multiple files in a config directory.</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-overview-leaf-idm46361749826528" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-17(a)","CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.2"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749826528" onclick="return openRuleDetailsDialog('idm46361749826528')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_usbguard" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_usbguard" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>USBGuard daemon</strong>Â <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_usbguard_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749660176" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"":["1418"],"NIST SP 800-53":["CM-8(3)","IA-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001958"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000378-GPOS-00163"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749660176" onclick="return openRuleDetailsDialog('idm46361749660176')">Install usbguard Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749656176" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"":["1418"],"NIST SP 800-53":["CM-8(3)(a)","IA-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000416","CCI-001958"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000378-GPOS-00163"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749656176" onclick="return openRuleDetailsDialog('idm46361749656176')">Enable the USBGuard Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749646800" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"NIST SP 800-53":["CM-8(3)","IA-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000114-GPOS-00059"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749646800" onclick="return openRuleDetailsDialog('idm46361749646800')">Authorize Human Interface Devices and USB hubs in USBGuard daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-detail-idm46361753259424"><div class="keywords sr-only">Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-90841-8 </div><div class="panel-heading"><h3 class="panel-title">Verify File Hashes with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rpm_verify_hashes:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:45+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90841-8">CCE-90841-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Without cryptographic integrity protections, system
>executables and files can be altered by unauthorized users without
>detection.
>The RPM package management system can check the hashes of
>installed software packages, including many that are important to system
>security.
>To verify that the cryptographic hash of system files and commands matches vendor
>values, run the following command to list which files on the system
>have hashes that differ from what is expected by the RPM database:
><pre>$ rpm -Va --noconfig | grep '^..5'</pre>
>A "c" in the second column indicates that a file is a configuration file, which
>may appropriately be expected to change. If the file was not expected to
>change, investigate the cause of the change using audit logs or other means.
>The package can then be reinstalled to restore the file.
>Run the following command to determine which package owns the file:
><pre>$ rpm -qf <i>FILENAME</i></pre>
>The package can be reinstalled from a dnf repository using the command:
><pre>$ sudo dnf reinstall <i>PACKAGENAME</i></pre>
>Alternatively, the package can be reinstalled from trusted media using the command:
><pre>$ sudo rpm -Uvh <i>PACKAGENAME</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The hashes of important files like system executables should match the
>information given by the RPM database. Executables with erroneous hashes could
>be a sign of nefarious activity on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">verify file md5 hashes</span>Â 
>        <span class="label label-default">oval:ssg-test_files_fail_md5_hash:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="rpm verify of all files">oval:ssg-object_files_fail_md5_hash:obj:1</abbr></strong> of type
>                <strong>rpmverifyfile_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>^/(bin|sbin|lib|lib64|usr)/.+$</td><td>oval:ssg-state_files_fail_md5_hash:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-detail-idm46361753255456"><div class="keywords sr-only">Verify and Correct Ownership with RPMxccdf_org.ssgproject.content_rule_rpm_verify_ownership highCCE-90842-6 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct Ownership with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rpm_verify_ownership:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:52+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90842-6">CCE-90842-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001494</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001496</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000256-GPOS-00097</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000257-GPOS-00098</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000278-GPOS-00108</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.15</a></p></td></tr><tr><td>Description</td><td><div class="description">The RPM package management system can check file ownership
>permissions of installed software packages, including many that are
>important to system security. After locating a file with incorrect
>permissions, which can be found with
><pre>rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'</pre>
>run the following command to determine which package owns it:
><pre>$ rpm -qf <i>FILENAME</i></pre>
>Next, run the following command to reset its permissions to
>the correct values:
><pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ownership of binaries and configuration files that is incorrect
>could allow an unauthorized user to gain privileges that they should
>not have. The ownership set by the vendor should be maintained. Any
>deviations from this baseline should be investigated.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                Profiles may require that specific files be owned by root while the default owner defined
>by the vendor is different.
>Such files will be reported as a finding and need to be evaluated according to your policy
>and deployment environment.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">user ownership of all files matches local rpm database</span>Â 
>        <span class="label label-default">oval:ssg-test_verify_all_rpms_user_ownership:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="rpm verify of all files">oval:ssg-object_files_fail_user_ownership:obj:1</abbr></strong> of type
>                <strong>rpmverifyfile_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>oval:ssg-state_files_fail_user_ownership:ste:1</td></tr></tbody></table><h4><span class="label label-primary">group ownership of all files matches local rpm database</span>Â 
>        <span class="label label-default">oval:ssg-test_verify_all_rpms_group_ownership:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="rpm verify of all files">oval:ssg-object_files_fail_group_ownership:obj:1</abbr></strong> of type
>                <strong>rpmverifyfile_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>oval:ssg-state_files_fail_group_ownership:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-detail-idm46361753251488"><div class="keywords sr-only">Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-90840-0 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct File Permissions with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rpm_verify_permissions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90840-0">CCE-90840-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001493</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001494</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001495</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001496</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000256-GPOS-00097</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000257-GPOS-00098</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000258-GPOS-00099</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000278-GPOS-00108</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.15</a></p></td></tr><tr><td>Description</td><td><div class="description">The RPM package management system can check file access permissions
>of installed software packages, including many that are important
>to system security.
>Verify that the file permissions of system files
>and commands match vendor values. Check the file permissions
>with the following command:
><pre>$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'</pre>
>Output indicates files that do not match vendor defaults.
>After locating a file with incorrect permissions,
>run the following command to determine which package owns it:
><pre>$ rpm -qf <i>FILENAME</i></pre>
><br>
>Next, run the following command to reset its permissions to
>the correct values:
><pre>$ sudo rpm --setperms <i>PACKAGENAME</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Permissions on system binaries and configuration files that are too generous
>could allow an unauthorized user to gain privileges that they should not have.
>The permissions set by the vendor should be maintained. Any deviations from
>this baseline should be investigated.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                Profiles may require that specific files have stricter file permissions than defined by the
>vendor.
>Such files will be reported as a finding and need to be evaluated according to your policy
>and deployment environment.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187208352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362187208352"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>high</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>
># Declare array to hold set of RPM packages we need to correct permissions for
>declare -A SETPERMS_RPM_DICT
>
># Create a list of files on the system having permissions different from what
># is expected by the RPM database
>readarray -t FILES_WITH_INCORRECT_PERMS &lt; &lt;(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
>
>for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
>do
>        # NOTE: some files maybe controlled by more then one package
>        readarray -t RPM_PACKAGES &lt; &lt;(rpm -qf "${FILE_PATH}")
>        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
>        do
>                # Use an associative array to store packages as it's keys, not having to care about duplicates.
>                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
>        done
>done
>
># For each of the RPM packages left in the list -- reset its permissions to the
># correct values
>for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
>do
>	rpm --restore "${RPM_PACKAGE}"
>done
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187204368" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362187204368"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>high</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Read list of files with incorrect permissions
>  command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
>    --nocaps --nolinkto --nouser --nogroup
>  register: files_with_incorrect_permissions
>  failed_when: files_with_incorrect_permissions.rc &gt; 1
>  changed_when: false
>  check_mode: false
>  tags:
>  - CCE-90840-0
>  - CJIS-5.10.4.1
>  - NIST-800-171-3.3.8
>  - NIST-800-171-3.4.1
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-6(c)
>  - NIST-800-53-CM-6(d)
>  - NIST-800-53-SI-7
>  - NIST-800-53-SI-7(1)
>  - NIST-800-53-SI-7(6)
>  - PCI-DSS-Req-11.5
>  - high_complexity
>  - high_severity
>  - medium_disruption
>  - no_reboot_needed
>  - restrict_strategy
>  - rpm_verify_permissions
>
>- name: Create list of packages
>  command: rpm -qf "{{ item }}"
>  with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'',
>    ''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
>    | list | unique }}'
>  register: list_of_packages
>  changed_when: false
>  check_mode: false
>  when: (files_with_incorrect_permissions.stdout_lines | length &gt; 0)
>  tags:
>  - CCE-90840-0
>  - CJIS-5.10.4.1
>  - NIST-800-171-3.3.8
>  - NIST-800-171-3.4.1
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-6(c)
>  - NIST-800-53-CM-6(d)
>  - NIST-800-53-SI-7
>  - NIST-800-53-SI-7(1)
>  - NIST-800-53-SI-7(6)
>  - PCI-DSS-Req-11.5
>  - high_complexity
>  - high_severity
>  - medium_disruption
>  - no_reboot_needed
>  - restrict_strategy
>  - rpm_verify_permissions
>
>- name: Correct file permissions with RPM
>  command: rpm --setperms '{{ item }}'
>  with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
>    | unique }}'
>  when: (files_with_incorrect_permissions.stdout_lines | length &gt; 0)
>  tags:
>  - CCE-90840-0
>  - CJIS-5.10.4.1
>  - NIST-800-171-3.3.8
>  - NIST-800-171-3.4.1
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-6(c)
>  - NIST-800-53-CM-6(d)
>  - NIST-800-53-SI-7
>  - NIST-800-53-SI-7(1)
>  - NIST-800-53-SI-7(6)
>  - PCI-DSS-Req-11.5
>  - high_complexity
>  - high_severity
>  - medium_disruption
>  - no_reboot_needed
>  - restrict_strategy
>  - rpm_verify_permissions
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">mode of all files matches local rpm database</span>Â 
>        <span class="label label-default">oval:ssg-test_verify_all_rpms_mode:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Extended name</th><th>Size differs</th><th>Mode differs</th><th>Md5 differs</th><th>Device differs</th><th>Link mismatch</th><th>Ownership differs</th><th>Group differs</th><th>Mtime differs</th><th>Capabilities differ</th><th>Configuration file</th><th>Documentation file</th><th>Ghost file</th><th>License file</th><th>Readme file</th></tr></thead><tbody><tr><td>grub2-efi-x64</td><td>1</td><td>2.06</td><td>61.el9</td><td>x86_64</td><td>/boot/grub2/fonts/unicode.pf2</td><td>grub2-efi-x64-1:2.06-61.el9.x86_64</td><td>pass</td><td>fail</td><td>not performed</td><td>pass</td><td>pass</td><td>pass</td><td>pass</td><td>fail</td><td>pass</td><td role="num">false</td><td role="num">false</td><td role="num">false</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm46361753247504"><div class="keywords sr-only">Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-90843-4 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_aide_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90843-4">CCE-90843-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002699</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1034</a>, <a href="">1288</a>, <a href="">1341</a>, <a href="">1417</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>aide</code> package can be installed with the following command:
><pre>
>$ sudo dnf install aide</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The AIDE package must be installed if it is to be available for integrity checking.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187136208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362187136208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>if ! rpm -q --quiet "aide" ; then
>    dnf install -y "aide"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187133424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362187133424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
>  package:
>    name: aide
>    state: present
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90843-4
>  - CJIS-5.10.1.3
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-11.5
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - package_aide_installed
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362193591024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362193591024"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
>
>class install_aide {
>  package { 'aide':
>    ensure =&gt; 'installed',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362193588880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362193588880"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
>package --add=aide
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362193586896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362193586896"><pre><code>
>[[packages]]
>name = "aide"
>version = "*"
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_aide_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>aide</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_enable_fips_mode" id="rule-detail-idm46361753213824"><div class="keywords sr-only">Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-88742-2 </div><div class="panel-heading"><h3 class="panel-title">Enable FIPS Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_fips_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_fips_mode:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-88742-2">CCE-88742-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000068</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000803</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002450</a>, <a href="">1446</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(1)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(2)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(3)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(4)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.2</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_RBG_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</a>, <a href="">SRG-OS-000120-VMM-000600</a>, <a href="">SRG-OS-000478-VMM-001980</a>, <a href="">SRG-OS-000396-VMM-001590</a></p></td></tr><tr><td>Description</td><td><div class="description">To enable FIPS mode, run the following command:
><pre>fips-mode-setup --enable</pre>
><br>
>The <code>fips-mode-setup</code> command will configure the system in
>FIPS mode by automatically configuring the following:
><ul><li>Setting the kernel FIPS mode flag (<code>/proc/sys/crypto/fips_enabled</code>) to <code>1</code></li><li>Creating <code>/etc/system-fips</code></li><li>Setting the system crypto policy in <code>/etc/crypto-policies/config</code> to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr></code></li><li>Loading the Dracut <code>fips</code> module</li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
>protect data. The operating system must implement cryptographic modules adhering to the higher
>standards approved by the federal government since this provides assurance they have been tested
>and validated.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
>You can find the list of FIPS certified modules at 
><a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search">https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search</a>.
>This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186664912" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362186664912"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>var_system_crypto_policy='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>'
>
>
>fips-mode-setup --enable
>
>stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2&gt;&amp;1 &gt; /dev/null)
>rc=$?
>
>if test "$rc" = 127; then
>	echo "$stderr_of_call" &gt;&amp;2
>	echo "Make sure that the script is installed on the remediated system." &gt;&amp;2
>	echo "See output of the 'dnf provides update-crypto-policies' command" &gt;&amp;2
>	echo "to see what package to (re)install" &gt;&amp;2
>
>	false  # end with an error code
>elif test "$rc" != 0; then
>	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
>	false  # end with an error code
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/etc/system-fips exists</span>Â 
>        <span class="label label-default">oval:ssg-test_etc_system_fips:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_system_fips:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/system-fips</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter crypto.fips_enabled set to 1</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_crypto_fips_enabled:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>crypto.fips_enabled</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">add_dracutmodules contains fips</span>Â 
>        <span class="label label-default">oval:ssg-test_enable_dracut_fips_module:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_enable_dracut_fips_module:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dracut.conf.d/40-fips.conf</td><td>^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/config</span>Â 
>        <span class="label label-default">oval:ssg-test_configure_crypto_policy:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/config</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/state/current</span>Â 
>        <span class="label label-default">oval:ssg-test_configure_crypto_policy_current:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/state/current</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">Check if update-crypto-policies has been run</span>Â 
>        <span class="label label-default">oval:ssg-test_crypto_policies_updated:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_crypto_policies_config_file_timestamp:var:1</td><td>1683104181</td></tr></tbody></table><h4><span class="label label-primary">Check if /etc/crypto-policies/back-ends/nss.config exists</span>Â 
>        <span class="label label-default">oval:ssg-test_crypto_policy_nss_config:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/crypto-policies/back-ends/nss.config</td><td>symbolic link</td><td>0</td><td>0</td><td>42</td><td><code>rwxrwxrwxÂ </code></td></tr></tbody></table><h4><span class="label label-primary">tests if var_system_crypto_policy is set to FIPS</span>Â 
>        <span class="label label-default">oval:ssg-test_system_crypto_policy_value:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_system_crypto_policy:var:1</td><td>FIPS</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="rule-detail-idm46361753198848"><div class="keywords sr-only">Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-83450-7 </div><div class="panel-heading"><h3 class="panel-title">Configure System Cryptography Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83450-7">CCE-83450-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="">1446</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(1)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(2)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(3)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(4)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.2</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000393-GPOS-00173</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000394-GPOS-00174</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.10</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system cryptography policy to use ciphers only from the <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr></code>
>policy, run the following command:
><pre>$ sudo update-crypto-policies --set <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr></pre>
>The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <code>/etc/crypto-policies/back-ends</code> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
>Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Centralized cryptographic policies simplify applying secure ciphers across an operating system and
>the applications that run on that operating system. Use of weak or untested encryption algorithms
>undermines the purposes of utilizing encryption to protect data.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                System Crypto Modules must be provided by a vendor that undergoes
>FIPS-140 certifications.
>FIPS-140 is applicable to all Federal agencies that use
>cryptographic-based security systems to protect sensitive information
>in computer and telecommunication systems (including voice systems) as
>defined in Section 5131 of the Information Technology Management Reform
>Act of 1996, Public Law 104-106. This standard shall be used in
>designing and implementing cryptographic modules that Federal
>departments and agencies operate or are operated for them under
>contract. See <b><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>
>To meet this, the system has to have cryptographic software provided by
>a vendor that has undergone this certification. This means providing
>documentation, test results, design information, and independent third
>party review by an accredited lab. While open source software is
>capable of meeting this, it does not meet FIPS-140 unless the vendor
>submits to this process.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186516272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362186516272"><pre><code>
>var_system_crypto_policy='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>'
>
>
>stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2&gt;&amp;1 &gt; /dev/null)
>rc=$?
>
>if test "$rc" = 127; then
>	echo "$stderr_of_call" &gt;&amp;2
>	echo "Make sure that the script is installed on the remediated system." &gt;&amp;2
>	echo "See output of the 'dnf provides update-crypto-policies' command" &gt;&amp;2
>	echo "to see what package to (re)install" &gt;&amp;2
>
>	false  # end with an error code
>elif test "$rc" != 0; then
>	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
>	false  # end with an error code
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186513216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362186513216"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
>  set_fact:
>    var_system_crypto_policy: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
>  tags:
>    - always
>
>- name: Configure System Cryptography Policy
>  lineinfile:
>    path: /etc/crypto-policies/config
>    regexp: ^(?!#)(\S+)$
>    line: '{{ var_system_crypto_policy }}'
>    create: true
>  tags:
>  - CCE-83450-7
>  - NIST-800-53-AC-17(2)
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-MA-4(6)
>  - NIST-800-53-SC-12(2)
>  - NIST-800-53-SC-12(3)
>  - NIST-800-53-SC-13
>  - configure_crypto_policy
>  - high_severity
>  - low_complexity
>  - low_disruption
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Verify that Crypto Policy is Set (runtime)
>  command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
>  tags:
>  - CCE-83450-7
>  - NIST-800-53-AC-17(2)
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-MA-4(6)
>  - NIST-800-53-SC-12(2)
>  - NIST-800-53-SC-12(3)
>  - NIST-800-53-SC-13
>  - configure_crypto_policy
>  - high_severity
>  - low_complexity
>  - low_disruption
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186509280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362186509280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    systemd:
>      units:
>        - name: configure-crypto-policy.service
>          enabled: true
>          contents: |
>            [Unit]
>            Before=kubelet.service
>            [Service]
>            Type=oneshot
>            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
>            RemainAfterExit=yes
>            [Install]
>            WantedBy=multi-user.target
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/config</span>Â 
>        <span class="label label-default">oval:ssg-test_configure_crypto_policy:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/config</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/state/current</span>Â 
>        <span class="label label-default">oval:ssg-test_configure_crypto_policy_current:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/state/current</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">Check if update-crypto-policies has been run</span>Â 
>        <span class="label label-default">oval:ssg-test_crypto_policies_updated:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_crypto_policies_config_file_timestamp:var:1</td><td>1683104181</td></tr></tbody></table><h4><span class="label label-primary">Check if /etc/crypto-policies/back-ends/nss.config exists</span>Â 
>        <span class="label label-default">oval:ssg-test_crypto_policy_nss_config:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/crypto-policies/back-ends/nss.config</td><td>symbolic link</td><td>0</td><td>0</td><td>42</td><td><code>rwxrwxrwxÂ </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="rule-detail-idm46361753180512"><div class="keywords sr-only">Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-83445-7 </div><div class="panel-heading"><h3 class="panel-title">Configure SSH to use System Crypto Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_ssh_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83445-7">CCE-83445-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-001453</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHS_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHC_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.14</a></p></td></tr><tr><td>Description</td><td><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
>SSH is supported by crypto policy, but the SSH configuration may be
>set up to ignore it.
>To check that Crypto Policies settings are configured correctly, ensure that
>the <code>CRYPTO_POLICY</code> variable is either commented or not set at all
>in the <code>/etc/sysconfig/sshd</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
>and makes system configuration more fragmented.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that the SSH configuration mandates usage of system-wide crypto policies.</span>Â 
>        <span class="label label-default">oval:ssg-test_configure_ssh_crypto_policy:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_configure_ssh_crypto_policy:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysconfig/sshd</td><td>^\s*(?i)CRYPTO_POLICY\s*=.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-detail-idm46361753037232"><div class="keywords sr-only">Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-83523-1 </div><div class="panel-heading"><h3 class="panel-title">Install sudo Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sudo_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sudo_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83523-1">CCE-83523-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="">1382</a>, <a href="">1384</a>, <a href="">1386</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>sudo</code> package can be installed with the following command:
><pre>
>$ sudo dnf install sudo</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>sudo</code> is a program designed to allow a system administrator to give
>limited root privileges to users and log root activity. The basic philosophy
>is to give as few privileges as possible but still allow system users to
>get their work done.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sudo is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_sudo_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sudo</td><td>x86_64</td><td>(none)</td><td>9.el9</td><td>1.9.5p2</td><td>0:1.9.5p2-9.el9</td><td>199e2f91fd431d51</td><td>sudo-0:1.9.5p2-9.el9.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-detail-idm46361753022496"><div class="keywords sr-only">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-83544-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_no_authenticate:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83544-7">CCE-83544-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
>sudo without having to authenticate. This should be disabled by making sure that the
><code>!authenticate</code> option does not exist in <code>/etc/sudoers</code> configuration file or
>any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they
>do not have authorization.
><br><br>
>When operating systems provide the capability to escalate a functional capability, it
>is critical that the user re-authenticate.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers.d</span>Â 
>        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-detail-idm46361753018496"><div class="keywords sr-only">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-83536-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_nopasswd:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83536-3">CCE-83536-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute
>commands using sudo without having to authenticate. This should be disabled
>by making sure that the <code>NOPASSWD</code> tag does not exist in
><code>/etc/sudoers</code> configuration file or any sudo configuration snippets
>in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they
>do not have authorization.
><br><br>
>When operating systems provide the capability to escalate a functional capability, it
>is critical that the user re-authenticate.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184347136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362184347136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>
>for f in /etc/sudoers /etc/sudoers.d/* ; do
>  if [ ! -e "$f" ] ; then
>    continue
>  fi
>  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      # comment out "NOPASSWD" matches to preserve user data
>      sed -i "s/^${entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>
>    /usr/sbin/visudo -cf $f &amp;&gt; /dev/null || echo "Fail to validate $f with visudo"
>  fi
>done
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184344528" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184344528"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Find /etc/sudoers.d/ files
>  find:
>    paths:
>    - /etc/sudoers.d/
>  register: sudoers
>  tags:
>  - CCE-83536-3
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-11
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sudo_remove_nopasswd
>
>- name: Remove lines containing NOPASSWD from sudoers files
>  replace:
>    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
>    replace: '# \g&lt;1&gt;'
>    path: '{{ item.path }}'
>    validate: /usr/sbin/visudo -cf %s
>  with_items:
>  - path: /etc/sudoers
>  - '{{ sudoers.files }}'
>  tags:
>  - CCE-83536-3
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-11
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sudo_remove_nopasswd
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">NOPASSWD does not exist /etc/sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist in /etc/sudoers.d</span>Â 
>        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers_d:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers.d/90-cloud-init-users</td><td>quickcluster ALL=(ALL) NOPASSWD: ALL</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_require_authentication" id="rule-detail-idm46361753014528"><div class="keywords sr-only">Ensure Users Re-Authenticate for Privilege Escalation - sudoxccdf_org.ssgproject.content_rule_sudo_require_authentication mediumCCE-83543-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_require_authentication</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_require_authentication:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83543-9">CCE-83543-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when
>specified, allows a user to execute commands using sudo without having to
>authenticate. This should be disabled by making sure that
><code>NOPASSWD</code> and/or <code>!authenticate</code> do not exist in
><code>/etc/sudoers</code> configuration file or any sudo configuration snippets
>in <code>/etc/sudoers.d/</code>."</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they
>do not have authorization.
><br><br>
>When operating systems provide the capability to escalate a functional capability, it
>is critical that the user re-authenticate.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184299984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362184299984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>
>for f in /etc/sudoers /etc/sudoers.d/* ; do
>  if [ ! -e "$f" ] ; then
>    continue
>  fi
>  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      # comment out "NOPASSWD" matches to preserve user data
>      sed -i "s/^${entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>
>    /usr/sbin/visudo -cf $f &amp;&gt; /dev/null || echo "Fail to validate $f with visudo"
>  fi
>done
>
>for f in /etc/sudoers /etc/sudoers.d/* ; do
>  if [ ! -e "$f" ] ; then
>    continue
>  fi
>  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      # comment out "!authenticate" matches to preserve user data
>      sed -i "s/^${entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>
>    /usr/sbin/visudo -cf $f &amp;&gt; /dev/null || echo "Fail to validate $f with visudo"
>  fi
>done
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184295920" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184295920"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Find /etc/sudoers.d/ files
>  find:
>    paths:
>    - /etc/sudoers.d/
>  register: sudoers
>  tags:
>  - CCE-83543-9
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-11
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sudo_require_authentication
>
>- name: Remove lines containing NOPASSWD from sudoers files
>  replace:
>    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
>    replace: '# \g&lt;1&gt;'
>    path: '{{ item.path }}'
>    validate: /usr/sbin/visudo -cf %s
>  with_items:
>  - path: /etc/sudoers
>  - '{{ sudoers.files }}'
>  tags:
>  - CCE-83543-9
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-11
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sudo_require_authentication
>
>- name: Find /etc/sudoers.d/ files
>  find:
>    paths:
>    - /etc/sudoers.d/
>  register: sudoers
>  tags:
>  - CCE-83543-9
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-11
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sudo_require_authentication
>
>- name: Remove lines containing !authenticate from sudoers files
>  replace:
>    regexp: (^(?!#).*[\s]+\!authenticate.*$)
>    replace: '# \g&lt;1&gt;'
>    path: '{{ item.path }}'
>    validate: /usr/sbin/visudo -cf %s
>  with_items:
>  - path: /etc/sudoers
>  - '{{ sudoers.files }}'
>  tags:
>  - CCE-83543-9
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-11
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sudo_require_authentication
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers.d</span>Â 
>        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist /etc/sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist in /etc/sudoers.d</span>Â 
>        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers_d:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers.d/90-cloud-init-users</td><td>quickcluster ALL=(ALL) NOPASSWD: ALL</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_rear_installed" id="rule-detail-idm46361752980784"><div class="keywords sr-only">Install rear Packagexccdf_org.ssgproject.content_rule_package_rear_installed mediumCCE-83503-3 </div><div class="panel-heading"><h3 class="panel-title">Install rear Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rear_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rear_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83503-3">CCE-83503-3</abbr></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rear</code> package can be installed with the following command:
><pre>
>$ sudo dnf install rear</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>rear</code> contains the Relax-and-Recover (ReaR) utility. ReaR produces a bootable
>image of a system and restores from backup using this image.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184092736" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362184092736"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease ) || ( grep -q aarch64 /proc/sys/kernel/osrelease ) || ( grep -q s390x /proc/sys/kernel/osrelease ) ) ); then
>
>if ! rpm -q --quiet "rear" ; then
>    dnf install -y "rear"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184090176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184090176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
>  package:
>    name: rear
>    state: present
>  when: not ( ( ( ansible_architecture == "aarch64" and ansible_distribution == "OracleLinux"
>    and ansible_distribution_version is version("9.0", "&gt;=") ) or ( ansible_architecture
>    == "aarch64" and ansible_distribution == "RedHat" and ansible_distribution_version
>    is version("9.0", "&gt;=") ) or ( ansible_distribution == "RedHat" and ansible_distribution_version
>    is version("8.4", "&lt;=") and ansible_architecture == "s390x" ) ) )
>  tags:
>  - CCE-83503-3
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - package_rear_installed
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184087072" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184087072"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
>
>class install_rear {
>  package { 'rear':
>    ensure =&gt; 'installed',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184084928" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184084928"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
>package --add=rear
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184082944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184082944"><pre><code>
>[[packages]]
>name = "rear"
>version = "*"
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rear is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_rear_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rear_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rear</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-detail-idm46361752945632"><div class="keywords sr-only">Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only lowCCE-83461-4 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Only Security Updates</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_security_updates_only:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83461-4">CCE-83461-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure <code>dnf-automatic</code> to install only security updates
>automatically, set <code>upgrade_type</code> to <code>security</code> under
><code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By default, <code>dnf-automatic</code> installs all available updates.
>Reducing the amount of updated packages only to updates that were
>issued as a part of a security advisory increases the system stability.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183818624" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183818624"><pre><code>
>found=false
>
># set value in all files if they contain section or key
>for f in $(echo -n "/etc/dnf/automatic.conf"); do
>    if [ ! -e "$f" ]; then
>        continue
>    fi
>
>    # find key in section and change value
>    if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
>            sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" "$f"
>            found=true
>
>    # find section and add key = value to it
>    elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
>            sed -i "/[[:space:]]*\[commands\]/a upgrade_type = security" "$f"
>            found=true
>    fi
>done
>
># if section not in any file, append section with key = value to FIRST file in files parameter
>if ! $found ; then
>    file=$(echo "/etc/dnf/automatic.conf" | cut -f1 -d ' ')
>    mkdir -p "$(dirname "$file")"
>    echo -e "[commands]\nupgrade_type = security" &gt;&gt; "$file"
>fi
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_dnf-automatic_security_updates_only:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only</span>Â 
>        <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="The configuration file /etc/dnf/automatic.conf for dnf-automatic_security_updates_only">oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/etc/dnf/automatic.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm46361752941632"><div class="keywords sr-only">Ensure gpgcheck Enabled In Main dnf Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-83457-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main dnf Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_globally_activated:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83457-2">CCE-83457-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>gpgcheck</code> option controls whether
>RPM packages' signatures are always checked prior to installation.
>To configure dnf to check package signatures before installing
>them, ensure the following line appears in <code>/etc/dnf/dnf.conf</code> in
>the <code>[main]</code> section:
><pre>gpgcheck=1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects on the
>overall security of the operating system. This requirement ensures the
>software has not been tampered with and that it has been provided by a
>trusted vendor.
><br>
>Accordingly, patches, service packs, device drivers, or operating system
>components must be signed with a certificate recognized and approved by the
>organization.
><br>Verifying the authenticity of the software prior to installation
>validates the integrity of the patch or upgrade received from a vendor.
>This ensures the software has not been tampered with and that it has been
>provided by a trusted vendor. Self-signed certificates are disallowed by
>this requirement. Certificates used to verify the software must be from an
>approved Certificate Authority (CA).</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of gpgcheck in /etc/dnf/dnf.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/dnf/dnf.conf</td><td>gpgcheck=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm46361752937632"><div class="keywords sr-only">Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-83463-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_local_packages:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83463-0">CCE-83463-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>dnf</code> should be configured to verify the signature(s) of local packages
>prior to installation. To configure <code>dnf</code> to verify signatures of local
>packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/dnf/dnf.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects to the overall security
>of the operating system. This requirement ensures the software has not been tampered and
>has been provided by a trusted vendor.
><br><br>
>Accordingly, patches, service packs, device drivers, or operating system components must
>be signed with a certificate recognized and approved by the organization.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183720464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183720464"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q yum; then
>
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/dnf/dnf.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^localpkg_gpgcheck")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "1"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\&gt;" "/etc/dnf/dnf.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^localpkg_gpgcheck\\&gt;.*/$escaped_formatted_output/gi" "/etc/dnf/dnf.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83463-0"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/dnf/dnf.conf" &gt;&gt; "/etc/dnf/dnf.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/dnf/dnf.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183717408" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362183717408"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>unknown</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83463-0
>  - NIST-800-171-3.4.8
>  - NIST-800-53-CM-11(a)
>  - NIST-800-53-CM-11(b)
>  - NIST-800-53-CM-5(3)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SA-12
>  - NIST-800-53-SA-12(10)
>  - ensure_gpgcheck_local_packages
>  - high_severity
>  - low_complexity
>  - medium_disruption
>  - no_reboot_needed
>  - unknown_strategy
>
>- name: Ensure GPG check Enabled for Local Packages (dnf)
>  block:
>
>  - name: Check stats of dnf
>    stat:
>      path: /etc/dnf/dnf.conf
>    register: pkg
>
>  - name: Check if config file of dnf is a symlink
>    ansible.builtin.set_fact:
>      pkg_config_file_symlink: '{{ pkg.stat.lnk_target if pkg.stat.lnk_target is match("^/.*")
>        else "/etc/dnf/dnf.conf" | dirname ~ "/" ~ pkg.stat.lnk_target }}'
>    when: pkg.stat.lnk_target is defined
>
>  - name: Ensure GPG check Enabled for Local Packages (dnf)
>    ini_file:
>      dest: '{{ pkg_config_file_symlink |  default("/etc/dnf/dnf.conf") }}'
>      section: main
>      option: localpkg_gpgcheck
>      value: 1
>      no_extra_spaces: true
>      create: true
>  when: '"yum" in ansible_facts.packages'
>  tags:
>  - CCE-83463-0
>  - NIST-800-171-3.4.8
>  - NIST-800-53-CM-11(a)
>  - NIST-800-53-CM-11(b)
>  - NIST-800-53-CM-5(3)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SA-12
>  - NIST-800-53-SA-12(10)
>  - ensure_gpgcheck_local_packages
>  - high_severity
>  - low_complexity
>  - medium_disruption
>  - no_reboot_needed
>  - unknown_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of localpkg_gpgcheck in /etc/dnf/dnf.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="localpkg_gpgcheck set in /etc/dnf/dnf.conf">oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dnf/dnf.conf</td><td>^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-detail-idm46361752933632"><div class="keywords sr-only">Ensure gpgcheck Enabled for All dnf Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-83464-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for All dnf Package Repositories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_never_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83464-8">CCE-83464-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure signature checking is not disabled for
>any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form:
><pre>gpgcheck=0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Verifying the authenticity of the software prior to installation validates
>the integrity of the patch or upgrade received from a vendor. This ensures
>the software has not been tampered with and that it has been provided by a
>trusted vendor. Self-signed certificates are disallowed by this
>requirement. Certificates used to verify the software must be from an
>approved Certificate Authority (CA)."</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for existence of gpgcheck=0 in /etc/yum.repos.d/ files</span>Â 
>        <span class="label label-default">oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/yum.repos.d</td><td>.*</td><td>^\s*gpgcheck\s*=\s*0\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-detail-idm46361752929632"><div class="keywords sr-only">Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-84180-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Red Hat GPG Key Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_redhat_gpgkey_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84180-9">CCE-84180-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the system can cryptographically verify base software packages
>come from Red Hat (and to connect to the Red Hat Network to receive them),
>the Red Hat GPG key must properly be installed. To install the Red Hat GPG
>key, run:
><pre>$ sudo subscription-manager register</pre>
>
>If the system is not connected to the Internet or an RHN Satellite, then
>install the Red Hat GPG key from trusted media such as the Red Hat
>installation CD-ROM or DVD. Assuming the disc is mounted in
><code>/media/cdrom</code>, use the following command as the root user to import
>it into the keyring:
><pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>
>
>Alternatively, the key may be pre-loaded during the RHEL installation. In
>such cases, the key can be installed by running the following command:
><pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to software components can have significant effects on the overall
>security of the operating system. This requirement ensures the software has
>not been tampered with and that it has been provided by a trusted vendor.
>The Red Hat GPG key is necessary to cryptographically verify packages are
>from Red Hat.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">installed OS part of unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
>        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Red Hat release key package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>6229229e</td><td>5a6340b3</td><td>0:5a6340b3-6229229e</td><td>0</td><td>gpg-pubkey-0:5a6340b3-6229229e.(none)</td></tr></tbody></table><h4><span class="label label-primary">Red Hat auxiliary key package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_gpgkey-5a6340b3-6229229e_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>6229229e</td><td>5a6340b3</td><td>0:5a6340b3-6229229e</td><td>0</td><td>gpg-pubkey-0:5a6340b3-6229229e.(none)</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
>                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
>                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos9:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
>                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
>        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
>                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos9:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
>        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">CentOS9 key package is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>6229229e</td><td>5a6340b3</td><td>0:5a6340b3-6229229e</td><td>0</td><td>gpg-pubkey-0:5a6340b3-6229229e.(none)</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idm46361752925632"><div class="keywords sr-only">Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date mediumCCE-84185-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>yes</td></tr><tr><td>OVAL Definition ID</td><td></td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84185-8">CCE-84185-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R08)</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">20</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO12.01</a>, <a href="https://www.isaca.org/resources/cobit">APO12.02</a>, <a href="https://www.isaca.org/resources/cobit">APO12.03</a>, <a href="https://www.isaca.org/resources/cobit">APO12.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001227</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.12</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.RA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-12</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.9</a></p></td></tr><tr><td>Description</td><td><div class="description"><br><br>
>NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
>dictates.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Installing software updates is a fundamental mitigation against
>the exploitation of publicly-known vulnerabilities. If the most
>recent security patches and updates are not installed, unauthorized
>users may take advantage of weaknesses in the unpatched software. The
>lack of prompt attention to patching could result in a system compromise.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                The OVAL feed of Red Hat Enterprise Linux 9 is not a XML file, which may not be understood by all scanners.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â 
>                                <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm46361752843360"><div class="keywords sr-only">Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-83587-6 </div><div class="panel-heading"><h3 class="panel-title">Lock Accounts After Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83587-6">CCE-83587-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000021-VMM-000050</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.2</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">This rule configures the system to lock out accounts after a number of incorrect login attempts
>using <code>pam_faillock.so</code>.
>
>pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
>defined to work as expected.
>
>In order to avoid errors when manually editing these files, it is
>recommended to use the appropriate tools, such as <code>authselect</code> or <code>authconfig</code>,
>depending on the OS version.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts, the risk of unauthorized system access via
>user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
>the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
>will also use <code>authselect</code> tool. However, if any manual modification was made in
>PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
>aborted in order to preserve intentional changes. In this case, an informative message will
>be shown in the remediation report.
>If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
>parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182315024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362182315024"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q pam; then
>
>var_accounts_passwords_pam_faillock_deny='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr>'
>
>
>if [ -f /usr/bin/authselect ]; then
>    if ! authselect check; then
>echo "
>authselect integrity check failed. Remediation aborted!
>This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>It is not recommended to manually edit the PAM files when authselect tool is available.
>In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>exit 1
>fi
>authselect enable-feature with-faillock
>
>authselect apply-changes -b
>else
>    
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>for pam_file in "${AUTH_FILES[@]}"
>do
>    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
>        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
>        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
>        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
>    fi
>    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
>done
>
>fi
>
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>
>FAILLOCK_CONF="/etc/security/faillock.conf"
>if [ -f $FAILLOCK_CONF ]; then
>    regex="^\s*deny\s*="
>    line="deny = $var_accounts_passwords_pam_faillock_deny"
>    if ! grep -q $regex $FAILLOCK_CONF; then
>        echo $line &gt;&gt; $FAILLOCK_CONF
>    else
>        sed -i --follow-symlinks 's|^\s*$deny\s*=\s*$$\S\+$|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
>    fi
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if [ -e "$pam_file" ] ; then
>            PAM_FILE_PATH="$pam_file"
>            if [ -f /usr/bin/authselect ]; then
>                
>                if ! authselect check; then
>                echo "
>                authselect integrity check failed. Remediation aborted!
>                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>                It is not recommended to manually edit the PAM files when authselect tool is available.
>                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>                exit 1
>                fi
>
>                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
>                # If not already in use, a custom profile is created preserving the enabled features.
>                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
>                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
>                    authselect create-profile hardening -b $CURRENT_PROFILE
>                    CURRENT_PROFILE="custom/hardening"
>                    
>                    authselect apply-changes -b --backup=before-hardening-custom-profile
>                    authselect select $CURRENT_PROFILE
>                    for feature in $ENABLED_FEATURES; do
>                        authselect enable-feature $feature;
>                    done
>                    
>                    authselect apply-changes -b --backup=after-hardening-custom-profile
>                fi
>                PAM_FILE_NAME=$(basename "$pam_file")
>                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
>
>                authselect apply-changes -b
>            fi
>            
>        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
>            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
>        fi
>            if [ -f /usr/bin/authselect ]; then
>                
>                authselect apply-changes -b
>            fi
>        else
>            echo "$pam_file was not found" &gt;&amp;2
>        fi
>    done
>else
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
>        else
>            sed -i --follow-symlinks 's/$^auth.*required.*pam_faillock\.so.*preauth.*silent.*$$'"deny"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
>            sed -i --follow-symlinks 's/$^auth.*required.*pam_faillock\.so.*authfail.*$$'"deny"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
>        fi
>    done
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182301904" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362182301904"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect
>    tool
>  ansible.builtin.stat:
>    path: /usr/bin/authselect
>  register: result_authselect_present
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
>    tool is present
>  block:
>
>  - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
>      current profile
>    ansible.builtin.command:
>      cmd: authselect check
>    register: result_authselect_check_cmd
>    changed_when: false
>    ignore_errors: true
>
>  - name: Lock Accounts After Failed Password Attempts - Informative message based
>      on the authselect integrity check result
>    ansible.builtin.assert:
>      that:
>      - result_authselect_check_cmd is success
>      fail_msg:
>      - authselect integrity check failed. Remediation aborted!
>      - This remediation could not be applied because an authselect profile was not
>        selected or the selected profile is not intact.
>      - It is not recommended to manually edit the PAM files when authselect tool
>        is available.
>      - In cases where the default authselect profile does not cover a specific demand,
>        a custom authselect profile is recommended.
>      success_msg:
>      - authselect integrity check passed
>
>  - name: Lock Accounts After Failed Password Attempts - Get authselect current features
>    ansible.builtin.shell:
>      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>    register: result_authselect_features
>    changed_when: false
>    when:
>    - result_authselect_check_cmd is success
>
>  - name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock" feature
>      is enabled using authselect tool
>    ansible.builtin.command:
>      cmd: authselect enable-feature with-faillock
>    register: result_authselect_enable_feature_cmd
>    when:
>    - result_authselect_check_cmd is success
>    - result_authselect_features.stdout is not search("with-faillock")
>
>  - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>      are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_enable_feature_cmd is not skipped
>    - result_authselect_enable_feature_cmd is success
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_authselect_present.stat.exists
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
>    tool is not present
>  block:
>
>  - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
>      is already enabled
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_is_enabled
>
>  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so preauth
>      editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so preauth
>      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail
>      editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so authfail
>      insertbefore: ^auth.*required.*pam_deny\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so account
>      section editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: account     required      pam_faillock.so
>      insertbefore: ^account.*required.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_authselect_present.stat.exists
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable
>  set_fact:
>    var_accounts_passwords_pam_faillock_deny: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr>
>  tags:
>    - always
>
>- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf
>    file
>  ansible.builtin.stat:
>    path: /etc/security/faillock.conf
>  register: result_faillock_conf_check
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
>    deny parameter in /etc/security/faillock.conf
>  ansible.builtin.lineinfile:
>    path: /etc/security/faillock.conf
>    regexp: ^\s*deny\s*=
>    line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
>    state: present
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
>    deny parameter not in PAM files
>  block:
>
>  - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/system-auth
>    register: result_pam_file_present
>
>  - name: Lock Accounts After Failed Password Attempts - Check the proper remediation
>      for the system
>    block:
>
>    - name: Lock Accounts After Failed Password Attempts - Define the PAM file to
>        be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/system-auth
>
>    - name: Lock Accounts After Failed Password Attempts - Check if system relies
>        on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
>        profile is used if authselect is present
>      block:
>
>      - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
>          current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Lock Accounts After Failed Password Attempts - Informative message based
>          on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Lock Accounts After Failed Password Attempts - Get authselect current
>          profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Lock Accounts After Failed Password Attempts - Define the current authselect
>          profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Define the new authselect
>          custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Get authselect current
>          features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Check if any custom profile
>          with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Create an authselect
>          custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Lock Accounts After Failed Password Attempts - Ensure the authselect
>          custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Lock Accounts After Failed Password Attempts - Restore the authselect
>          features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Lock Accounts After Failed Password Attempts - Change the PAM file to
>          be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
>        from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>        are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>
>  - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/password-auth
>    register: result_pam_file_present
>
>  - name: Lock Accounts After Failed Password Attempts - Check the proper remediation
>      for the system
>    block:
>
>    - name: Lock Accounts After Failed Password Attempts - Define the PAM file to
>        be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/password-auth
>
>    - name: Lock Accounts After Failed Password Attempts - Check if system relies
>        on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
>        profile is used if authselect is present
>      block:
>
>      - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
>          current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Lock Accounts After Failed Password Attempts - Informative message based
>          on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Lock Accounts After Failed Password Attempts - Get authselect current
>          profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Lock Accounts After Failed Password Attempts - Define the current authselect
>          profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Define the new authselect
>          custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Get authselect current
>          features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Check if any custom profile
>          with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Lock Accounts After Failed Password Attempts - Create an authselect
>          custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Lock Accounts After Failed Password Attempts - Ensure the authselect
>          custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Lock Accounts After Failed Password Attempts - Restore the authselect
>          features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Lock Accounts After Failed Password Attempts - Change the PAM file to
>          be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
>        from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
>        are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
>    deny parameter in PAM files
>  block:
>
>  - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
>      deny parameter is already enabled in pam files
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_deny_parameter_is_present
>
>  - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
>      preauth deny parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
>      line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_deny_parameter_is_present.found == 0
>
>  - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
>      authfail deny parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
>      line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_deny_parameter_is_present.found == 0
>
>  - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
>      for pam_faillock.so preauth deny parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
>      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_deny_parameter_is_present.found &gt; 0
>
>  - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
>      for pam_faillock.so authfail deny parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
>      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_deny_parameter_is_present.found &gt; 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83587-6
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.6
>  - accounts_passwords_pam_faillock_deny
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected deny value in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>3</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected deny value in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>3</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of deny parameter in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*deny[\s]*=[\s]*([0-9]+)</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of deny parameter in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of deny parameter in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected deny value in in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>3</td></tr><tr><td>^[\s]*deny[\s]*=[\s]*([0-9]+)</td></tr></table></td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-detail-idm46361752838496"><div class="keywords sr-only">Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-83589-2 </div><div class="panel-heading"><h3 class="panel-title">Configure the root Account for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83589-2">CCE-83589-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description">This rule configures the system to lock out the <code>root</code> account after a number of
>incorrect login attempts using <code>pam_faillock.so</code>.
>
>pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
>defined to work as expected. In order to avoid errors when manually editing these files, it is
>recommended to use the appropriate tools, such as <code>authselect</code> or <code>authconfig</code>,
>depending on the OS version.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts, the risk of unauthorized system access via
>user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
>the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
>will also use <code>authselect</code> tool. However, if any manual modification was made in
>PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
>aborted in order to preserve intentional changes. In this case, an informative message will
>be shown in the remediation report.
>If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
>parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182204768" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362182204768"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q pam; then
>
>if [ -f /usr/bin/authselect ]; then
>    if ! authselect check; then
>echo "
>authselect integrity check failed. Remediation aborted!
>This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>It is not recommended to manually edit the PAM files when authselect tool is available.
>In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>exit 1
>fi
>authselect enable-feature with-faillock
>
>authselect apply-changes -b
>else
>    
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>for pam_file in "${AUTH_FILES[@]}"
>do
>    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
>        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
>        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
>        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
>    fi
>    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
>done
>
>fi
>
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>
>FAILLOCK_CONF="/etc/security/faillock.conf"
>if [ -f $FAILLOCK_CONF ]; then
>    regex="^\s*even_deny_root"
>    line="even_deny_root"
>    if ! grep -q $regex $FAILLOCK_CONF; then
>        echo $line &gt;&gt; $FAILLOCK_CONF
>    fi
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if [ -e "$pam_file" ] ; then
>            PAM_FILE_PATH="$pam_file"
>            if [ -f /usr/bin/authselect ]; then
>                
>                if ! authselect check; then
>                echo "
>                authselect integrity check failed. Remediation aborted!
>                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>                It is not recommended to manually edit the PAM files when authselect tool is available.
>                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>                exit 1
>                fi
>
>                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
>                # If not already in use, a custom profile is created preserving the enabled features.
>                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
>                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
>                    authselect create-profile hardening -b $CURRENT_PROFILE
>                    CURRENT_PROFILE="custom/hardening"
>                    
>                    authselect apply-changes -b --backup=before-hardening-custom-profile
>                    authselect select $CURRENT_PROFILE
>                    for feature in $ENABLED_FEATURES; do
>                        authselect enable-feature $feature;
>                    done
>                    
>                    authselect apply-changes -b --backup=after-hardening-custom-profile
>                fi
>                PAM_FILE_NAME=$(basename "$pam_file")
>                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
>
>                authselect apply-changes -b
>            fi
>            
>        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then
>            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
>        fi
>            if [ -f /usr/bin/authselect ]; then
>                
>                authselect apply-changes -b
>            fi
>        else
>            echo "$pam_file was not found" &gt;&amp;2
>        fi
>    done
>else
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
>        fi
>    done
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182192672" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362182192672"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Check if system
>    relies on authselect tool
>  ansible.builtin.stat:
>    path: /usr/bin/authselect
>  register: result_authselect_present
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Remediation where
>    authselect tool is present
>  block:
>
>  - name: Configure the root Account for Failed Password Attempts - Check integrity
>      of authselect current profile
>    ansible.builtin.command:
>      cmd: authselect check
>    register: result_authselect_check_cmd
>    changed_when: false
>    ignore_errors: true
>
>  - name: Configure the root Account for Failed Password Attempts - Informative message
>      based on the authselect integrity check result
>    ansible.builtin.assert:
>      that:
>      - result_authselect_check_cmd is success
>      fail_msg:
>      - authselect integrity check failed. Remediation aborted!
>      - This remediation could not be applied because an authselect profile was not
>        selected or the selected profile is not intact.
>      - It is not recommended to manually edit the PAM files when authselect tool
>        is available.
>      - In cases where the default authselect profile does not cover a specific demand,
>        a custom authselect profile is recommended.
>      success_msg:
>      - authselect integrity check passed
>
>  - name: Configure the root Account for Failed Password Attempts - Get authselect
>      current features
>    ansible.builtin.shell:
>      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>    register: result_authselect_features
>    changed_when: false
>    when:
>    - result_authselect_check_cmd is success
>
>  - name: Configure the root Account for Failed Password Attempts - Ensure "with-faillock"
>      feature is enabled using authselect tool
>    ansible.builtin.command:
>      cmd: authselect enable-feature with-faillock
>    register: result_authselect_enable_feature_cmd
>    when:
>    - result_authselect_check_cmd is success
>    - result_authselect_features.stdout is not search("with-faillock")
>
>  - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>      changes are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_enable_feature_cmd is not skipped
>    - result_authselect_enable_feature_cmd is success
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_authselect_present.stat.exists
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Remediation where
>    authselect tool is not present
>  block:
>
>  - name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
>      is already enabled
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_is_enabled
>
>  - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
>      preauth editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so preauth
>      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
>      authfail editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so authfail
>      insertbefore: ^auth.*required.*pam_deny\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
>      account section editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: account     required      pam_faillock.so
>      insertbefore: ^account.*required.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_authselect_present.stat.exists
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Check the presence
>    of /etc/security/faillock.conf file
>  ansible.builtin.stat:
>    path: /etc/security/faillock.conf
>  register: result_faillock_conf_check
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
>    even_deny_root parameter in /etc/security/faillock.conf
>  ansible.builtin.lineinfile:
>    path: /etc/security/faillock.conf
>    regexp: ^\s*even_deny_root
>    line: even_deny_root
>    state: present
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
>    even_deny_root parameter not in PAM files
>  block:
>
>  - name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/system-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/system-auth
>    register: result_pam_file_present
>
>  - name: Configure the root Account for Failed Password Attempts - Check the proper
>      remediation for the system
>    block:
>
>    - name: Configure the root Account for Failed Password Attempts - Define the PAM
>        file to be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/system-auth
>
>    - name: Configure the root Account for Failed Password Attempts - Check if system
>        relies on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>        custom profile is used if authselect is present
>      block:
>
>      - name: Configure the root Account for Failed Password Attempts - Check integrity
>          of authselect current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Configure the root Account for Failed Password Attempts - Informative
>          message based on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Configure the root Account for Failed Password Attempts - Get authselect
>          current profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Configure the root Account for Failed Password Attempts - Define the
>          current authselect profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Define the
>          new authselect custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Get authselect
>          current features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Check if any
>          custom profile with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Create an
>          authselect custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Configure the root Account for Failed Password Attempts - Ensure the
>          authselect custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Configure the root Account for Failed Password Attempts - Restore the
>          authselect features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Configure the root Account for Failed Password Attempts - Change the
>          PAM file to be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
>        option from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>
>  - name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/password-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/password-auth
>    register: result_pam_file_present
>
>  - name: Configure the root Account for Failed Password Attempts - Check the proper
>      remediation for the system
>    block:
>
>    - name: Configure the root Account for Failed Password Attempts - Define the PAM
>        file to be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/password-auth
>
>    - name: Configure the root Account for Failed Password Attempts - Check if system
>        relies on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>        custom profile is used if authselect is present
>      block:
>
>      - name: Configure the root Account for Failed Password Attempts - Check integrity
>          of authselect current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Configure the root Account for Failed Password Attempts - Informative
>          message based on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Configure the root Account for Failed Password Attempts - Get authselect
>          current profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Configure the root Account for Failed Password Attempts - Define the
>          current authselect profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Define the
>          new authselect custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Get authselect
>          current features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Check if any
>          custom profile with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Configure the root Account for Failed Password Attempts - Create an
>          authselect custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Configure the root Account for Failed Password Attempts - Ensure the
>          authselect custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Configure the root Account for Failed Password Attempts - Restore the
>          authselect features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Configure the root Account for Failed Password Attempts - Change the
>          PAM file to be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
>        option from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
>    even_deny_root parameter in PAM files
>  block:
>
>  - name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
>      even_deny_root parameter is already enabled in pam files
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_even_deny_root_parameter_is_present
>
>  - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
>      of pam_faillock.so preauth even_deny_root parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
>      line: \1required\3 even_deny_root
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_even_deny_root_parameter_is_present.found == 0
>
>  - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
>      of pam_faillock.so authfail even_deny_root parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
>      line: \1required\3 even_deny_root
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_even_deny_root_parameter_is_present.found == 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83589-2
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(c)
>  - accounts_passwords_pam_faillock_deny_root
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in account section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in account section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected even_deny_root parameter in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected even_deny_root parameter in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of even_deny_root parameter in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Try to get the even_deny_root parameter from /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*even_deny_root</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of even_deny_root parameter in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of even_deny_root parameter in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected even_deny_root parameter in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Try to get the even_deny_root parameter from /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*even_deny_root</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm46361752829680"><div class="keywords sr-only">Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-83583-5 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_interval:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83583-5">CCE-83583-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description">Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system
>to lock out an account after a number of incorrect login attempts within a specified time
>period.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts the risk of unauthorized system
>access via user password guessing, otherwise known as brute-forcing, is reduced.
>Limits are imposed by locking the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
>will also use <code>authselect</code> tool. However, if any manual modification was made in
>PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
>aborted in order to preserve intentional changes. In this case, an informative message will
>be shown in the remediation report.
>If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
>parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181987520" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362181987520"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q pam; then
>
>var_accounts_passwords_pam_faillock_fail_interval='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr>'
>
>
>if [ -f /usr/bin/authselect ]; then
>    if ! authselect check; then
>echo "
>authselect integrity check failed. Remediation aborted!
>This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>It is not recommended to manually edit the PAM files when authselect tool is available.
>In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>exit 1
>fi
>authselect enable-feature with-faillock
>
>authselect apply-changes -b
>else
>    
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>for pam_file in "${AUTH_FILES[@]}"
>do
>    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
>        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
>        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
>        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
>    fi
>    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
>done
>
>fi
>
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>
>FAILLOCK_CONF="/etc/security/faillock.conf"
>if [ -f $FAILLOCK_CONF ]; then
>    regex="^\s*fail_interval\s*="
>    line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval"
>    if ! grep -q $regex $FAILLOCK_CONF; then
>        echo $line &gt;&gt; $FAILLOCK_CONF
>    else
>        sed -i --follow-symlinks 's|^\s*$fail_interval\s*=\s*$$\S\+$|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF
>    fi
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if [ -e "$pam_file" ] ; then
>            PAM_FILE_PATH="$pam_file"
>            if [ -f /usr/bin/authselect ]; then
>                
>                if ! authselect check; then
>                echo "
>                authselect integrity check failed. Remediation aborted!
>                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>                It is not recommended to manually edit the PAM files when authselect tool is available.
>                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>                exit 1
>                fi
>
>                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
>                # If not already in use, a custom profile is created preserving the enabled features.
>                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
>                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
>                    authselect create-profile hardening -b $CURRENT_PROFILE
>                    CURRENT_PROFILE="custom/hardening"
>                    
>                    authselect apply-changes -b --backup=before-hardening-custom-profile
>                    authselect select $CURRENT_PROFILE
>                    for feature in $ENABLED_FEATURES; do
>                        authselect enable-feature $feature;
>                    done
>                    
>                    authselect apply-changes -b --backup=after-hardening-custom-profile
>                fi
>                PAM_FILE_NAME=$(basename "$pam_file")
>                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
>
>                authselect apply-changes -b
>            fi
>            
>        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
>            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
>        fi
>            if [ -f /usr/bin/authselect ]; then
>                
>                authselect apply-changes -b
>            fi
>        else
>            echo "$pam_file was not found" &gt;&amp;2
>        fi
>    done
>else
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
>        else
>            sed -i --follow-symlinks 's/$^auth.*required.*pam_faillock\.so.*preauth.*silent.*$$'"fail_interval"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
>            sed -i --follow-symlinks 's/$^auth.*required.*pam_faillock\.so.*authfail.*$$'"fail_interval"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
>        fi
>    done
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181974256" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362181974256"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Interval For Counting Failed Password Attempts - Check if system relies
>    on authselect tool
>  ansible.builtin.stat:
>    path: /usr/bin/authselect
>  register: result_authselect_present
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
>    tool is present
>  block:
>
>  - name: Set Interval For Counting Failed Password Attempts - Check integrity of
>      authselect current profile
>    ansible.builtin.command:
>      cmd: authselect check
>    register: result_authselect_check_cmd
>    changed_when: false
>    ignore_errors: true
>
>  - name: Set Interval For Counting Failed Password Attempts - Informative message
>      based on the authselect integrity check result
>    ansible.builtin.assert:
>      that:
>      - result_authselect_check_cmd is success
>      fail_msg:
>      - authselect integrity check failed. Remediation aborted!
>      - This remediation could not be applied because an authselect profile was not
>        selected or the selected profile is not intact.
>      - It is not recommended to manually edit the PAM files when authselect tool
>        is available.
>      - In cases where the default authselect profile does not cover a specific demand,
>        a custom authselect profile is recommended.
>      success_msg:
>      - authselect integrity check passed
>
>  - name: Set Interval For Counting Failed Password Attempts - Get authselect current
>      features
>    ansible.builtin.shell:
>      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>    register: result_authselect_features
>    changed_when: false
>    when:
>    - result_authselect_check_cmd is success
>
>  - name: Set Interval For Counting Failed Password Attempts - Ensure "with-faillock"
>      feature is enabled using authselect tool
>    ansible.builtin.command:
>      cmd: authselect enable-feature with-faillock
>    register: result_authselect_enable_feature_cmd
>    when:
>    - result_authselect_check_cmd is success
>    - result_authselect_features.stdout is not search("with-faillock")
>
>  - name: Set Interval For Counting Failed Password Attempts - Ensure authselect changes
>      are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_enable_feature_cmd is not skipped
>    - result_authselect_enable_feature_cmd is success
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_authselect_present.stat.exists
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
>    tool is not present
>  block:
>
>  - name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
>      is already enabled
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_is_enabled
>
>  - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
>      preauth editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so preauth
>      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
>      authfail editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so authfail
>      insertbefore: ^auth.*required.*pam_deny\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
>      account section editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: account     required      pam_faillock.so
>      insertbefore: ^account.*required.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_authselect_present.stat.exists
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable
>  set_fact:
>    var_accounts_passwords_pam_faillock_fail_interval: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr>
>  tags:
>    - always
>
>- name: Set Interval For Counting Failed Password Attempts - Check the presence of
>    /etc/security/faillock.conf file
>  ansible.builtin.stat:
>    path: /etc/security/faillock.conf
>  register: result_faillock_conf_check
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
>    fail_interval parameter in /etc/security/faillock.conf
>  ansible.builtin.lineinfile:
>    path: /etc/security/faillock.conf
>    regexp: ^\s*fail_interval\s*=
>    line: fail_interval = {{ var_accounts_passwords_pam_faillock_fail_interval }}
>    state: present
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
>    fail_interval parameter not in PAM files
>  block:
>
>  - name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/system-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/system-auth
>    register: result_pam_file_present
>
>  - name: Set Interval For Counting Failed Password Attempts - Check the proper remediation
>      for the system
>    block:
>
>    - name: Set Interval For Counting Failed Password Attempts - Define the PAM file
>        to be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/system-auth
>
>    - name: Set Interval For Counting Failed Password Attempts - Check if system relies
>        on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>        custom profile is used if authselect is present
>      block:
>
>      - name: Set Interval For Counting Failed Password Attempts - Check integrity
>          of authselect current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Set Interval For Counting Failed Password Attempts - Informative message
>          based on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Set Interval For Counting Failed Password Attempts - Get authselect
>          current profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Set Interval For Counting Failed Password Attempts - Define the current
>          authselect profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Define the new
>          authselect custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Get authselect
>          current features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Check if any custom
>          profile with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Create an authselect
>          custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
>          custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Interval For Counting Failed Password Attempts - Restore the authselect
>          features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Set Interval For Counting Failed Password Attempts - Change the PAM
>          file to be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
>        option from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>
>  - name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/password-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/password-auth
>    register: result_pam_file_present
>
>  - name: Set Interval For Counting Failed Password Attempts - Check the proper remediation
>      for the system
>    block:
>
>    - name: Set Interval For Counting Failed Password Attempts - Define the PAM file
>        to be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/password-auth
>
>    - name: Set Interval For Counting Failed Password Attempts - Check if system relies
>        on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>        custom profile is used if authselect is present
>      block:
>
>      - name: Set Interval For Counting Failed Password Attempts - Check integrity
>          of authselect current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Set Interval For Counting Failed Password Attempts - Informative message
>          based on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Set Interval For Counting Failed Password Attempts - Get authselect
>          current profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Set Interval For Counting Failed Password Attempts - Define the current
>          authselect profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Define the new
>          authselect custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Get authselect
>          current features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Check if any custom
>          profile with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Interval For Counting Failed Password Attempts - Create an authselect
>          custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
>          custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Interval For Counting Failed Password Attempts - Restore the authselect
>          features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>          changes are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Set Interval For Counting Failed Password Attempts - Change the PAM
>          file to be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
>        option from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
>    fail_interval parameter in PAM files
>  block:
>
>  - name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
>      fail_interval parameter is already enabled in pam files
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_fail_interval_parameter_is_present
>
>  - name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
>      of pam_faillock.so preauth fail_interval parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
>      line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
>        }}
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_fail_interval_parameter_is_present.found == 0
>
>  - name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
>      of pam_faillock.so authfail fail_interval parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
>      line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
>        }}
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_fail_interval_parameter_is_present.found == 0
>
>  - name: Set Interval For Counting Failed Password Attempts - Ensure the desired
>      value for pam_faillock.so preauth fail_interval parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(fail_interval)=[0-9]+(.*)
>      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_fail_interval_parameter_is_present.found &gt; 0
>
>  - name: Set Interval For Counting Failed Password Attempts - Ensure the desired
>      value for pam_faillock.so authfail fail_interval parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(fail_interval)=[0-9]+(.*)
>      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_fail_interval_parameter_is_present.found &gt; 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83583-5
>  - NIST-800-53-AC-7(a)
>  - NIST-800-53-CM-6(a)
>  - accounts_passwords_pam_faillock_interval
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected fail_interval value in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>900</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected fail_interval value in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>900</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of fail_interval parameter in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so fail_interval parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*fail_interval[\s]*=[\s]*([0-9]+)</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of fail_interval parameter in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of fail_interval parameter in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected fail_interval value in in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so fail_interval parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>900</td></tr><tr><td>^[\s]*fail_interval[\s]*=[\s]*([0-9]+)</td></tr></table></td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm46361752822064"><div class="keywords sr-only">Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-83588-4 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83588-4">CCE-83588-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000329-VMM-001180</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">This rule configures the system to lock out accounts during a specified time period after a
>number of incorrect login attempts using <code>pam_faillock.so</code>.
>
>pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
>defined to work as expected. In order to avoid any errors when manually editing these files,
>it is recommended to use the appropriate tools, such as <code>authselect</code> or <code>authconfig</code>,
>depending on the OS version.
>
>If <code>unlock_time</code> is set to <code>0</code>, manual intervention by an administrator is required
>to unlock a user. This should be done using the <code>faillock</code> tool.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts the risk of unauthorized system
>access via user password guessing, otherwise known as brute-forcing, is reduced.
>Limits are imposed by locking the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system supports the new <code>/etc/security/faillock.conf</code> file but the
>pam_faillock.so parameters are defined directly in <code>/etc/pam.d/system-auth</code> and
><code>/etc/pam.d/password-auth</code>, the remediation will migrate the <code>unlock_time</code> parameter
>to <code>/etc/security/faillock.conf</code> to ensure compatibility with <code>authselect</code> tool.
>The parameters <code>deny</code> and <code>fail_interval</code>, if used, also have to be migrated
>by their respective remediation.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
>will also use <code>authselect</code> tool. However, if any manual modification was made in
>PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
>aborted in order to preserve intentional changes. In this case, an informative message will
>be shown in the remediation report.
>If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
>parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181835536" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362181835536"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q pam; then
>
>var_accounts_passwords_pam_faillock_unlock_time='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr>'
>
>
>if [ -f /usr/bin/authselect ]; then
>    if ! authselect check; then
>echo "
>authselect integrity check failed. Remediation aborted!
>This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>It is not recommended to manually edit the PAM files when authselect tool is available.
>In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>exit 1
>fi
>authselect enable-feature with-faillock
>
>authselect apply-changes -b
>else
>    
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>for pam_file in "${AUTH_FILES[@]}"
>do
>    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
>        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
>        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
>        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
>    fi
>    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
>done
>
>fi
>
>AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
>
>FAILLOCK_CONF="/etc/security/faillock.conf"
>if [ -f $FAILLOCK_CONF ]; then
>    regex="^\s*unlock_time\s*="
>    line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time"
>    if ! grep -q $regex $FAILLOCK_CONF; then
>        echo $line &gt;&gt; $FAILLOCK_CONF
>    else
>        sed -i --follow-symlinks 's|^\s*$unlock_time\s*=\s*$$\S\+$|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF
>    fi
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if [ -e "$pam_file" ] ; then
>            PAM_FILE_PATH="$pam_file"
>            if [ -f /usr/bin/authselect ]; then
>                
>                if ! authselect check; then
>                echo "
>                authselect integrity check failed. Remediation aborted!
>                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>                It is not recommended to manually edit the PAM files when authselect tool is available.
>                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>                exit 1
>                fi
>
>                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
>                # If not already in use, a custom profile is created preserving the enabled features.
>                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
>                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
>                    authselect create-profile hardening -b $CURRENT_PROFILE
>                    CURRENT_PROFILE="custom/hardening"
>                    
>                    authselect apply-changes -b --backup=before-hardening-custom-profile
>                    authselect select $CURRENT_PROFILE
>                    for feature in $ENABLED_FEATURES; do
>                        authselect enable-feature $feature;
>                    done
>                    
>                    authselect apply-changes -b --backup=after-hardening-custom-profile
>                fi
>                PAM_FILE_NAME=$(basename "$pam_file")
>                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
>
>                authselect apply-changes -b
>            fi
>            
>        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then
>            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
>        fi
>            if [ -f /usr/bin/authselect ]; then
>                
>                authselect apply-changes -b
>            fi
>        else
>            echo "$pam_file was not found" &gt;&amp;2
>        fi
>    done
>else
>    for pam_file in "${AUTH_FILES[@]}"
>    do
>        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
>            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
>        else
>            sed -i --follow-symlinks 's/$^auth.*required.*pam_faillock\.so.*preauth.*silent.*$$'"unlock_time"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
>            sed -i --follow-symlinks 's/$^auth.*required.*pam_faillock\.so.*authfail.*$$'"unlock_time"'=$[0-9]\+$.*$/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
>        fi
>    done
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181822272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362181822272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Lockout Time for Failed Password Attempts - Check if system relies on
>    authselect tool
>  ansible.builtin.stat:
>    path: /usr/bin/authselect
>  register: result_authselect_present
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
>    tool is present
>  block:
>
>  - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
>      current profile
>    ansible.builtin.command:
>      cmd: authselect check
>    register: result_authselect_check_cmd
>    changed_when: false
>    ignore_errors: true
>
>  - name: Set Lockout Time for Failed Password Attempts - Informative message based
>      on the authselect integrity check result
>    ansible.builtin.assert:
>      that:
>      - result_authselect_check_cmd is success
>      fail_msg:
>      - authselect integrity check failed. Remediation aborted!
>      - This remediation could not be applied because an authselect profile was not
>        selected or the selected profile is not intact.
>      - It is not recommended to manually edit the PAM files when authselect tool
>        is available.
>      - In cases where the default authselect profile does not cover a specific demand,
>        a custom authselect profile is recommended.
>      success_msg:
>      - authselect integrity check passed
>
>  - name: Set Lockout Time for Failed Password Attempts - Get authselect current features
>    ansible.builtin.shell:
>      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>    register: result_authselect_features
>    changed_when: false
>    when:
>    - result_authselect_check_cmd is success
>
>  - name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock" feature
>      is enabled using authselect tool
>    ansible.builtin.command:
>      cmd: authselect enable-feature with-faillock
>    register: result_authselect_enable_feature_cmd
>    when:
>    - result_authselect_check_cmd is success
>    - result_authselect_features.stdout is not search("with-faillock")
>
>  - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>      are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_enable_feature_cmd is not skipped
>    - result_authselect_enable_feature_cmd is success
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_authselect_present.stat.exists
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
>    tool is not present
>  block:
>
>  - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
>      is already enabled
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_is_enabled
>
>  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so preauth
>      editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so preauth
>      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail
>      editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: auth        required      pam_faillock.so authfail
>      insertbefore: ^auth.*required.*pam_deny\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>
>  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so account
>      section editing PAM files
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      line: account     required      pam_faillock.so
>      insertbefore: ^account.*required.*pam_unix\.so.*
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_is_enabled.found == 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_authselect_present.stat.exists
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable
>  set_fact:
>    var_accounts_passwords_pam_faillock_unlock_time: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr>
>  tags:
>    - always
>
>- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf
>    file
>  ansible.builtin.stat:
>    path: /etc/security/faillock.conf
>  register: result_faillock_conf_check
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
>    unlock_time parameter in /etc/security/faillock.conf
>  ansible.builtin.lineinfile:
>    path: /etc/security/faillock.conf
>    regexp: ^\s*unlock_time\s*=
>    line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
>    state: present
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
>    unlock_time parameter not in PAM files
>  block:
>
>  - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/system-auth
>    register: result_pam_file_present
>
>  - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
>      for the system
>    block:
>
>    - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to
>        be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/system-auth
>
>    - name: Set Lockout Time for Failed Password Attempts - Check if system relies
>        on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
>        profile is used if authselect is present
>      block:
>
>      - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
>          current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Set Lockout Time for Failed Password Attempts - Informative message
>          based on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
>          profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Set Lockout Time for Failed Password Attempts - Define the current authselect
>          profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Define the new authselect
>          custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
>          features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Check if any custom
>          profile with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Create an authselect
>          custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
>          custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Lockout Time for Failed Password Attempts - Restore the authselect
>          features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Set Lockout Time for Failed Password Attempts - Change the PAM file
>          to be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
>        option from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>        are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>
>  - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth
>      file is present
>    ansible.builtin.stat:
>      path: /etc/pam.d/password-auth
>    register: result_pam_file_present
>
>  - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
>      for the system
>    block:
>
>    - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to
>        be edited as a local fact
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/pam.d/password-auth
>
>    - name: Set Lockout Time for Failed Password Attempts - Check if system relies
>        on authselect tool
>      ansible.builtin.stat:
>        path: /usr/bin/authselect
>      register: result_authselect_present
>
>    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
>        profile is used if authselect is present
>      block:
>
>      - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
>          current profile
>        ansible.builtin.command:
>          cmd: authselect check
>        register: result_authselect_check_cmd
>        changed_when: false
>        ignore_errors: true
>
>      - name: Set Lockout Time for Failed Password Attempts - Informative message
>          based on the authselect integrity check result
>        ansible.builtin.assert:
>          that:
>          - result_authselect_check_cmd is success
>          fail_msg:
>          - authselect integrity check failed. Remediation aborted!
>          - This remediation could not be applied because an authselect profile was
>            not selected or the selected profile is not intact.
>          - It is not recommended to manually edit the PAM files when authselect tool
>            is available.
>          - In cases where the default authselect profile does not cover a specific
>            demand, a custom authselect profile is recommended.
>          success_msg:
>          - authselect integrity check passed
>
>      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
>          profile
>        ansible.builtin.shell:
>          cmd: authselect current -r | awk '{ print $1 }'
>        register: result_authselect_profile
>        changed_when: false
>        when:
>        - result_authselect_check_cmd is success
>
>      - name: Set Lockout Time for Failed Password Attempts - Define the current authselect
>          profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Define the new authselect
>          custom profile as a local fact
>        ansible.builtin.set_fact:
>          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>          authselect_custom_profile: custom/hardening
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_profile.stdout is not match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
>          features to also enable them in the custom profile
>        ansible.builtin.shell:
>          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>        register: result_authselect_features
>        changed_when: false
>        when:
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Check if any custom
>          profile with the same name was already created
>        ansible.builtin.stat:
>          path: /etc/authselect/{{ authselect_custom_profile }}
>        register: result_authselect_custom_profile_present
>        changed_when: false
>        when:
>        - authselect_current_profile is not match("custom/")
>
>      - name: Set Lockout Time for Failed Password Attempts - Create an authselect
>          custom profile based on the current profile
>        ansible.builtin.command:
>          cmd: authselect create-profile hardening -b {{ authselect_current_profile
>            }}
>        when:
>        - result_authselect_check_cmd is success
>        - authselect_current_profile is not match("custom/")
>        - not result_authselect_custom_profile_present.stat.exists
>
>      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
>          custom profile is selected
>        ansible.builtin.command:
>          cmd: authselect select {{ authselect_custom_profile }}
>        register: result_pam_authselect_select_profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - authselect_current_profile is not match("custom/")
>        - authselect_custom_profile is not match(authselect_current_profile)
>
>      - name: Set Lockout Time for Failed Password Attempts - Restore the authselect
>          features in the custom profile
>        ansible.builtin.command:
>          cmd: authselect enable-feature {{ item }}
>        loop: '{{ result_authselect_features.stdout_lines }}'
>        register: result_pam_authselect_restore_features
>        when:
>        - result_authselect_profile is not skipped
>        - result_authselect_features is not skipped
>        - result_pam_authselect_select_profile is not skipped
>
>      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>          are applied
>        ansible.builtin.command:
>          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>        when:
>        - result_authselect_check_cmd is success
>        - result_authselect_profile is not skipped
>        - result_pam_authselect_restore_features is not skipped
>
>      - name: Set Lockout Time for Failed Password Attempts - Change the PAM file
>          to be edited according to the custom authselect profile
>        ansible.builtin.set_fact:
>          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>            | basename }}
>      when:
>      - result_authselect_present.stat.exists
>
>    - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
>        option from "pam_faillock.so" is not present in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
>        replace: \1\2
>      register: result_pam_option_removal
>
>    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
>        are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when:
>      - result_authselect_present.stat.exists
>      - result_pam_option_removal is changed
>    when:
>    - result_pam_file_present.stat.exists
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
>    unlock_time parameter in PAM files
>  block:
>
>  - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
>      unlock_time parameter is already enabled in pam files
>    ansible.builtin.lineinfile:
>      path: /etc/pam.d/system-auth
>      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_faillock_unlock_time_parameter_is_present
>
>  - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
>      pam_faillock.so preauth unlock_time parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
>      line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
>        }}
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_unlock_time_parameter_is_present.found == 0
>
>  - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
>      pam_faillock.so authfail unlock_time parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
>      line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
>        }}
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_unlock_time_parameter_is_present.found == 0
>
>  - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
>      for pam_faillock.so preauth unlock_time parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*)
>      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_unlock_time_parameter_is_present.found &gt; 0
>
>  - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
>      for pam_faillock.so authfail unlock_time parameter in auth section
>    ansible.builtin.lineinfile:
>      path: '{{ item }}'
>      backrefs: true
>      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*)
>      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
>      state: present
>    loop:
>    - /etc/pam.d/system-auth
>    - /etc/pam.d/password-auth
>    when:
>    - result_pam_faillock_unlock_time_parameter_is_present.found &gt; 0
>  when:
>  - '"pam" in ansible_facts.packages'
>  - not result_faillock_conf_check.stat.exists
>  tags:
>  - CCE-83588-4
>  - CJIS-5.5.3
>  - NIST-800-171-3.1.8
>  - NIST-800-53-AC-7(b)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-8.1.7
>  - accounts_passwords_pam_faillock_unlock_time
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected unlock_time value in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>0</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected unlock_time value in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>0</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of unlock_time parameter in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of unlock_time parameter in system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of unlock_time parameter in password-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected unlock_time value in in /etc/security/faillock.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>0</td></tr><tr><td>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</td></tr></table></td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm46361752793456"><div class="keywords sr-only">Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-83579-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_minlen:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83579-3">CCE-83579-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="">SRG-OS-000072-VMM-000390</a>, <a href="">SRG-OS-000078-VMM-000450</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>minlen</code> parameter controls requirements for
>minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">14</abbr></code>
>after pam_pwquality to set minimum password length requirements.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The shorter the password, the lower the number of possible combinations
>that need to be tested before the password is compromised.
><br>
>Password complexity, or strength, is a measure of the effectiveness of a
>password in resisting attempts at guessing and brute-force attacks.
>Password length is one factor of several that helps to determine strength
>and how long it takes to crack a password. Use of more characters in a password
>helps to exponentially increase the time and/or resources required to
>compromise the password.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181179744" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362181179744"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q pam; then
>
>var_password_pam_minlen='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">14</abbr>'
>
>
>
>
>
>
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/security/pwquality.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^minlen")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^minlen\\&gt;" "/etc/security/pwquality.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^minlen\\&gt;.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83579-3"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" &gt;&gt; "/etc/security/pwquality.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/security/pwquality.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181174896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362181174896"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83579-3
>  - CJIS-5.6.2.1.1
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(a)
>  - NIST-800-53-IA-5(4)
>  - NIST-800-53-IA-5(c)
>  - PCI-DSS-Req-8.2.3
>  - accounts_password_pam_minlen
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>- name: XCCDF Value var_password_pam_minlen # promote to variable
>  set_fact:
>    var_password_pam_minlen: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">14</abbr>
>  tags:
>    - always
>
>- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable
>    minlen is set accordingly
>  ansible.builtin.lineinfile:
>    create: true
>    dest: /etc/security/pwquality.conf
>    regexp: ^#?\s*minlen
>    line: minlen = {{ var_password_pam_minlen }}
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83579-3
>  - CJIS-5.6.2.1.1
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(a)
>  - NIST-800-53-IA-5(4)
>  - NIST-800-53-IA-5(c)
>  - PCI-DSS-Req-8.2.3
>  - accounts_password_pam_minlen
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>
>password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_password_pam_pwquality_minlen:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_minlen:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/security/pwquality\.conf$</td><td>^\s*minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-detail-idm46361752871760"><div class="keywords sr-only">Ensure PAM Displays Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-83560-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Displays Last Logon/Access Notification</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_display_login_attempts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-display_login_attempts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83560-3">CCE-83560-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000052</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to notify users of last logon/access
>using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code>
>settings in
><code>/etc/pam.d/postlogin</code> to read as follows:
><pre>session     required pam_lastlog.so showfailed</pre>
>And make sure that the <code>silent</code> option is not set for
><code>pam_lastlog</code> module.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Users need to be aware of activity that occurs regarding
>their account. Providing users with information regarding the number
>of unsuccessful attempts that were made to login to their account
>allows the user to determine if any unauthorized activity has occurred
>and gives them an opportunity to notify administrators.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183060080" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183060080"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q pam; then
>
>if [ -e "/etc/pam.d/postlogin" ] ; then
>    PAM_FILE_PATH="/etc/pam.d/postlogin"
>    if [ -f /usr/bin/authselect ]; then
>        
>        if ! authselect check; then
>        echo "
>        authselect integrity check failed. Remediation aborted!
>        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>        It is not recommended to manually edit the PAM files when authselect tool is available.
>        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>        exit 1
>        fi
>
>        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
>        # If not already in use, a custom profile is created preserving the enabled features.
>        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
>            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
>            authselect create-profile hardening -b $CURRENT_PROFILE
>            CURRENT_PROFILE="custom/hardening"
>            
>            authselect apply-changes -b --backup=before-hardening-custom-profile
>            authselect select $CURRENT_PROFILE
>            for feature in $ENABLED_FEATURES; do
>                authselect enable-feature $feature;
>            done
>            
>            authselect apply-changes -b --backup=after-hardening-custom-profile
>        fi
>        PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
>        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
>
>        authselect apply-changes -b
>    fi
>    if ! grep -qP '^\s*session\s+'"required"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
>            # Line matching group + control + module was not found. Check group + module.
>            if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
>                # The control is updated only if one single line matches.
>                sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"required"' \2/' "$PAM_FILE_PATH"
>            else
>                sed -i --follow-symlinks '1i session     '"required"'    pam_lastlog.so' "$PAM_FILE_PATH"
>            fi
>        fi
>        # Check the option
>        if ! grep -qP '^\s*session\s+'"required"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
>            sed -i -E --follow-symlinks '/\s*session\s+'"required"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
>        fi
>    if [ -f /usr/bin/authselect ]; then
>        
>        authselect apply-changes -b
>    fi
>else
>    echo "/etc/pam.d/postlogin was not found" &gt;&amp;2
>fi
>if [ -e "/etc/pam.d/postlogin" ] ; then
>    PAM_FILE_PATH="/etc/pam.d/postlogin"
>    if [ -f /usr/bin/authselect ]; then
>        
>        if ! authselect check; then
>        echo "
>        authselect integrity check failed. Remediation aborted!
>        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>        It is not recommended to manually edit the PAM files when authselect tool is available.
>        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>        exit 1
>        fi
>
>        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
>        # If not already in use, a custom profile is created preserving the enabled features.
>        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
>            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
>            authselect create-profile hardening -b $CURRENT_PROFILE
>            CURRENT_PROFILE="custom/hardening"
>            
>            authselect apply-changes -b --backup=before-hardening-custom-profile
>            authselect select $CURRENT_PROFILE
>            for feature in $ENABLED_FEATURES; do
>                authselect enable-feature $feature;
>            done
>            
>            authselect apply-changes -b --backup=after-hardening-custom-profile
>        fi
>        PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
>        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"
>
>        authselect apply-changes -b
>    fi
>    
>if grep -qP '^\s*session\s.*\bpam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
>    sed -i -E --follow-symlinks 's/(.*session.*pam_lastlog.so.*)\bsilent\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
>fi
>    if [ -f /usr/bin/authselect ]; then
>        
>        authselect apply-changes -b
>    fi
>else
>    echo "/etc/pam.d/postlogin was not found" &gt;&amp;2
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183053712" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362183053712"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83560-3
>  - CJIS-5.5.2
>  - NIST-800-53-AC-9
>  - NIST-800-53-AC-9(1)
>  - PCI-DSS-Req-10.2.4
>  - configure_strategy
>  - display_login_attempts
>  - low_complexity
>  - low_disruption
>  - low_severity
>  - no_reboot_needed
>
>- name: Ensure PAM Displays Last Logon/Access Notification - Check if /etc/pam.d/postlogin
>    file is present
>  ansible.builtin.stat:
>    path: /etc/pam.d/postlogin
>  register: result_pam_file_present
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83560-3
>  - CJIS-5.5.2
>  - NIST-800-53-AC-9
>  - NIST-800-53-AC-9(1)
>  - PCI-DSS-Req-10.2.4
>  - configure_strategy
>  - display_login_attempts
>  - low_complexity
>  - low_disruption
>  - low_severity
>  - no_reboot_needed
>
>- name: Ensure PAM Displays Last Logon/Access Notification - Check the proper remediation
>    for the system
>  block:
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Define the PAM file
>      to be edited as a local fact
>    ansible.builtin.set_fact:
>      pam_file_path: /etc/pam.d/postlogin
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Check if system relies
>      on authselect tool
>    ansible.builtin.stat:
>      path: /usr/bin/authselect
>    register: result_authselect_present
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect custom
>      profile is used if authselect is present
>    block:
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Check integrity of
>        authselect current profile
>      ansible.builtin.command:
>        cmd: authselect check
>      register: result_authselect_check_cmd
>      changed_when: false
>      ignore_errors: true
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Informative message
>        based on the authselect integrity check result
>      ansible.builtin.assert:
>        that:
>        - result_authselect_check_cmd is success
>        fail_msg:
>        - authselect integrity check failed. Remediation aborted!
>        - This remediation could not be applied because an authselect profile was
>          not selected or the selected profile is not intact.
>        - It is not recommended to manually edit the PAM files when authselect tool
>          is available.
>        - In cases where the default authselect profile does not cover a specific
>          demand, a custom authselect profile is recommended.
>        success_msg:
>        - authselect integrity check passed
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
>        profile
>      ansible.builtin.shell:
>        cmd: authselect current -r | awk '{ print $1 }'
>      register: result_authselect_profile
>      changed_when: false
>      when:
>      - result_authselect_check_cmd is success
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Define the current
>        authselect profile as a local fact
>      ansible.builtin.set_fact:
>        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>      when:
>      - result_authselect_profile is not skipped
>      - result_authselect_profile.stdout is match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Define the new authselect
>        custom profile as a local fact
>      ansible.builtin.set_fact:
>        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>        authselect_custom_profile: custom/hardening
>      when:
>      - result_authselect_profile is not skipped
>      - result_authselect_profile.stdout is not match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
>        features to also enable them in the custom profile
>      ansible.builtin.shell:
>        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>      register: result_authselect_features
>      changed_when: false
>      when:
>      - result_authselect_profile is not skipped
>      - authselect_current_profile is not match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Check if any custom
>        profile with the same name was already created
>      ansible.builtin.stat:
>        path: /etc/authselect/{{ authselect_custom_profile }}
>      register: result_authselect_custom_profile_present
>      changed_when: false
>      when:
>      - authselect_current_profile is not match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Create an authselect
>        custom profile based on the current profile
>      ansible.builtin.command:
>        cmd: authselect create-profile hardening -b {{ authselect_current_profile
>          }}
>      when:
>      - result_authselect_check_cmd is success
>      - authselect_current_profile is not match("custom/")
>      - not result_authselect_custom_profile_present.stat.exists
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>      when:
>      - result_authselect_check_cmd is success
>      - result_authselect_profile is not skipped
>      - authselect_current_profile is not match("custom/")
>      - authselect_custom_profile is not match(authselect_current_profile)
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
>        custom profile is selected
>      ansible.builtin.command:
>        cmd: authselect select {{ authselect_custom_profile }}
>      register: result_pam_authselect_select_profile
>      when:
>      - result_authselect_check_cmd is success
>      - result_authselect_profile is not skipped
>      - authselect_current_profile is not match("custom/")
>      - authselect_custom_profile is not match(authselect_current_profile)
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Restore the authselect
>        features in the custom profile
>      ansible.builtin.command:
>        cmd: authselect enable-feature {{ item }}
>      loop: '{{ result_authselect_features.stdout_lines }}'
>      register: result_pam_authselect_restore_features
>      when:
>      - result_authselect_profile is not skipped
>      - result_authselect_features is not skipped
>      - result_pam_authselect_select_profile is not skipped
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>      when:
>      - result_authselect_check_cmd is success
>      - result_authselect_profile is not skipped
>      - result_pam_authselect_restore_features is not skipped
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Change the PAM file
>        to be edited according to the custom authselect profile
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>          | basename }}
>    when:
>    - result_authselect_present.stat.exists
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Check if expected PAM
>      module line is present in {{ pam_file_path }}
>    ansible.builtin.lineinfile:
>      path: '{{ pam_file_path }}'
>      regexp: ^\s*session\s+required\s+pam_lastlog.so\s*.*
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_line_present
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Include or update the
>      PAM module line in {{ pam_file_path }}
>    block:
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Check if required
>        PAM module line is present in {{ pam_file_path }} with different control
>      ansible.builtin.lineinfile:
>        path: '{{ pam_file_path }}'
>        regexp: ^\s*session\s+.*\s+pam_lastlog.so\s*
>        state: absent
>      check_mode: true
>      changed_when: false
>      register: result_pam_line_other_control_present
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the correct
>        control for the required PAM module line in {{ pam_file_path }}
>      ansible.builtin.replace:
>        dest: '{{ pam_file_path }}'
>        regexp: ^(\s*session\s+).*(\bpam_lastlog.so.*)
>        replace: \1required \2
>      register: result_pam_module_edit
>      when:
>      - result_pam_line_other_control_present.found == 1
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the required
>        PAM module line is included in {{ pam_file_path }}
>      ansible.builtin.lineinfile:
>        dest: '{{ pam_file_path }}'
>        insertafter: BOF
>        line: session    required    pam_lastlog.so
>      register: result_pam_module_add
>      when:
>      - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
>        &gt; 1
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b
>      when: |
>        result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
>    when:
>    - result_pam_line_present.found is defined
>    - result_pam_line_present.found == 0
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Check if the required
>      PAM module option is present in {{ pam_file_path }}
>    ansible.builtin.lineinfile:
>      path: '{{ pam_file_path }}'
>      regexp: ^\s*session\s+required\s+pam_lastlog.so\s*.*\sshowfailed\b
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: result_pam_module_showfailed_option_present
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "showfailed"
>      PAM option for "pam_lastlog.so" is included in {{ pam_file_path }}
>    ansible.builtin.lineinfile:
>      path: '{{ pam_file_path }}'
>      backrefs: true
>      regexp: ^(\s*session\s+required\s+pam_lastlog.so.*)
>      line: \1 showfailed
>      state: present
>    register: result_pam_showfailed_add
>    when:
>    - result_pam_module_showfailed_option_present.found == 0
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
>      are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_present.stat.exists
>    - (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)
>      or (result_pam_showfailed_edit is defined and result_pam_showfailed_edit.changed)
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_pam_file_present.stat.exists
>  tags:
>  - CCE-83560-3
>  - CJIS-5.5.2
>  - NIST-800-53-AC-9
>  - NIST-800-53-AC-9(1)
>  - PCI-DSS-Req-10.2.4
>  - configure_strategy
>  - display_login_attempts
>  - low_complexity
>  - low_disruption
>  - low_severity
>  - no_reboot_needed
>
>- name: Ensure PAM Displays Last Logon/Access Notification - Check if /etc/pam.d/postlogin
>    file is present
>  ansible.builtin.stat:
>    path: /etc/pam.d/postlogin
>  register: result_pam_file_present
>  when: '"pam" in ansible_facts.packages'
>  tags:
>  - CCE-83560-3
>  - CJIS-5.5.2
>  - NIST-800-53-AC-9
>  - NIST-800-53-AC-9(1)
>  - PCI-DSS-Req-10.2.4
>  - configure_strategy
>  - display_login_attempts
>  - low_complexity
>  - low_disruption
>  - low_severity
>  - no_reboot_needed
>
>- name: Ensure PAM Displays Last Logon/Access Notification - Check the proper remediation
>    for the system
>  block:
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Define the PAM file
>      to be edited as a local fact
>    ansible.builtin.set_fact:
>      pam_file_path: /etc/pam.d/postlogin
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Check if system relies
>      on authselect tool
>    ansible.builtin.stat:
>      path: /usr/bin/authselect
>    register: result_authselect_present
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect custom
>      profile is used if authselect is present
>    block:
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Check integrity of
>        authselect current profile
>      ansible.builtin.command:
>        cmd: authselect check
>      register: result_authselect_check_cmd
>      changed_when: false
>      ignore_errors: true
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Informative message
>        based on the authselect integrity check result
>      ansible.builtin.assert:
>        that:
>        - result_authselect_check_cmd is success
>        fail_msg:
>        - authselect integrity check failed. Remediation aborted!
>        - This remediation could not be applied because an authselect profile was
>          not selected or the selected profile is not intact.
>        - It is not recommended to manually edit the PAM files when authselect tool
>          is available.
>        - In cases where the default authselect profile does not cover a specific
>          demand, a custom authselect profile is recommended.
>        success_msg:
>        - authselect integrity check passed
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
>        profile
>      ansible.builtin.shell:
>        cmd: authselect current -r | awk '{ print $1 }'
>      register: result_authselect_profile
>      changed_when: false
>      when:
>      - result_authselect_check_cmd is success
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Define the current
>        authselect profile as a local fact
>      ansible.builtin.set_fact:
>        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
>      when:
>      - result_authselect_profile is not skipped
>      - result_authselect_profile.stdout is match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Define the new authselect
>        custom profile as a local fact
>      ansible.builtin.set_fact:
>        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
>        authselect_custom_profile: custom/hardening
>      when:
>      - result_authselect_profile is not skipped
>      - result_authselect_profile.stdout is not match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
>        features to also enable them in the custom profile
>      ansible.builtin.shell:
>        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>      register: result_authselect_features
>      changed_when: false
>      when:
>      - result_authselect_profile is not skipped
>      - authselect_current_profile is not match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Check if any custom
>        profile with the same name was already created
>      ansible.builtin.stat:
>        path: /etc/authselect/{{ authselect_custom_profile }}
>      register: result_authselect_custom_profile_present
>      changed_when: false
>      when:
>      - authselect_current_profile is not match("custom/")
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Create an authselect
>        custom profile based on the current profile
>      ansible.builtin.command:
>        cmd: authselect create-profile hardening -b {{ authselect_current_profile
>          }}
>      when:
>      - result_authselect_check_cmd is success
>      - authselect_current_profile is not match("custom/")
>      - not result_authselect_custom_profile_present.stat.exists
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
>      when:
>      - result_authselect_check_cmd is success
>      - result_authselect_profile is not skipped
>      - authselect_current_profile is not match("custom/")
>      - authselect_custom_profile is not match(authselect_current_profile)
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
>        custom profile is selected
>      ansible.builtin.command:
>        cmd: authselect select {{ authselect_custom_profile }}
>      register: result_pam_authselect_select_profile
>      when:
>      - result_authselect_check_cmd is success
>      - result_authselect_profile is not skipped
>      - authselect_current_profile is not match("custom/")
>      - authselect_custom_profile is not match(authselect_current_profile)
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Restore the authselect
>        features in the custom profile
>      ansible.builtin.command:
>        cmd: authselect enable-feature {{ item }}
>      loop: '{{ result_authselect_features.stdout_lines }}'
>      register: result_pam_authselect_restore_features
>      when:
>      - result_authselect_profile is not skipped
>      - result_authselect_features is not skipped
>      - result_pam_authselect_select_profile is not skipped
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
>        changes are applied
>      ansible.builtin.command:
>        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
>      when:
>      - result_authselect_check_cmd is success
>      - result_authselect_profile is not skipped
>      - result_pam_authselect_restore_features is not skipped
>
>    - name: Ensure PAM Displays Last Logon/Access Notification - Change the PAM file
>        to be edited according to the custom authselect profile
>      ansible.builtin.set_fact:
>        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
>          | basename }}
>    when:
>    - result_authselect_present.stat.exists
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "silent"
>      option from "pam_lastlog.so" is not present in {{ pam_file_path }}
>    ansible.builtin.replace:
>      dest: '{{ pam_file_path }}'
>      regexp: (.*session.*pam_lastlog.so.*)\bsilent\b=?[0-9a-zA-Z]*(.*)
>      replace: \1\2
>    register: result_pam_option_removal
>
>  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
>      are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_present.stat.exists
>    - result_pam_option_removal is changed
>  when:
>  - '"pam" in ansible_facts.packages'
>  - result_pam_file_present.stat.exists
>  tags:
>  - CCE-83560-3
>  - CJIS-5.5.2
>  - NIST-800-53-AC-9
>  - NIST-800-53-AC-9(1)
>  - PCI-DSS-Req-10.2.4
>  - configure_strategy
>  - display_login_attempts
>  - low_complexity
>  - low_disruption
>  - low_severity
>  - no_reboot_needed
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check the pam_lastlog configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_display_login_attempts:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_display_login_attempts:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/postlogin</td><td>^\s*session\s+required\s+pam_lastlog\.so(?:\s+[\w=]+)*\s+showfailed(\s|$)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Forbid 'silent' option for pam_lastlog</span>Â 
>        <span class="label label-default">oval:ssg-test_display_login_attempts_silent:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/postlogin</td><td>session optional                   pam_lastlog.so silent </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_emergency_target_auth" id="rule-detail-idm46361752747952"><div class="keywords sr-only">Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth mediumCCE-83592-6 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Emergency Systemd Target</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_emergency_target_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-require_emergency_target_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83592-6">CCE-83592-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description">Emergency mode is intended as a system recovery
>method, providing a single user root access to the system
>during a failed boot sequence.
><br><br>
>By default, Emergency mode is protected by requiring a password and is set
>in <code>/usr/lib/systemd/system/emergency.service</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This prevents attackers with physical access from trivially bypassing security
>on the machine and gaining root access. Such accesses are further prevented
>by configuring the bootloader password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests that     /usr/lib/systemd/systemd-sulogin-shell     was not removed from the default systemd emergency.service to ensure that a   password must be entered to access single user mode</span>Â 
>        <span class="label label-default">oval:ssg-test_require_emergency_service:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/emergency.service</td><td>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</td></tr></tbody></table><h4><span class="label label-primary">Tests that the systemd emergency.service is in the emergency.target</span>Â 
>        <span class="label label-default">oval:ssg-test_require_emergency_service_emergency_target:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/emergency.target</td><td>Requires=emergency.service</td></tr></tbody></table><h4><span class="label label-primary">look for emergency.target in /etc/systemd/system</span>Â 
>        <span class="label label-default">oval:ssg-test_no_custom_emergency_target:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for emergency.target in /etc/systemd/system">oval:ssg-object_no_custom_emergency_target:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^emergency.target$</td></tr></tbody></table><h4><span class="label label-primary">look for emergency.service in /etc/systemd/system</span>Â 
>        <span class="label label-default">oval:ssg-test_no_custom_emergency_service:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for emergency.service in /etc/systemd/system">oval:ssg-object_no_custom_emergency_service:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^emergency.service$</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-detail-idm46361752743952"><div class="keywords sr-only">Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-83594-2 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Single User Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_singleuser_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-require_singleuser_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83594-2">CCE-83594-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description">Single-user mode is intended as a system recovery
>method, providing a single user root access to the system by
>providing a boot option at startup.
><br><br>
>By default, single-user mode is protected by requiring a password and is set
>in <code>/usr/lib/systemd/system/rescue.service</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This prevents attackers with physical access from trivially bypassing security
>on the machine and gaining root access. Such accesses are further prevented
>by configuring the bootloader password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests that     /usr/lib/systemd/systemd-sulogin-shell     was not removed from the default systemd rescue.service to ensure that a   password must be entered to access single user mode</span>Â 
>        <span class="label label-default">oval:ssg-test_require_rescue_service:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/rescue.service</td><td>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</td></tr></tbody></table><h4><span class="label label-primary">Tests that the systemd rescue.service is in the runlevel1.target</span>Â 
>        <span class="label label-default">oval:ssg-test_require_rescue_service_runlevel1:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/runlevel1.target</td><td>Requires=sysinit.target rescue.service</td></tr></tbody></table><h4><span class="label label-primary">look for runlevel1.target in /etc/systemd/system</span>Â 
>        <span class="label label-default">oval:ssg-test_no_custom_runlevel1_target:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for runlevel1.target in /etc/systemd/system">oval:ssg-object_no_custom_runlevel1_target:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^runlevel1.target$</td></tr></tbody></table><h4><span class="label label-primary">look for rescue.service in /etc/systemd/system</span>Â 
>        <span class="label label-default">oval:ssg-test_no_custom_rescue_service:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for rescue.service in /etc/systemd/system">oval:ssg-object_no_custom_rescue_service:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^rescue.service$</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idm46361752689296"><div class="keywords sr-only">Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-83606-4 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_maximum_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83606-4">CCE-83606-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000199</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000076-GPOS-00044</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password maximum age for new accounts,
>edit the file <code>/etc/login.defs</code>
>and add or correct the following line:
><pre>PASS_MAX_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></pre>
>A value of 180 days is sufficient for many environments.
>The DoD requirement is 60.
>The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any password, no matter how complex, can eventually be cracked. Therefore, passwords
>need to be changed periodically. If the operating system does not limit the lifetime
>of passwords and force users to change their passwords, there is the risk that the
>operating system passwords could be compromised.
><br><br>
>Setting the password maximum age ensures users are required to
>periodically change their passwords. Requiring shorter password lifetimes
>increases the risk of users writing down the password in a convenient
>location subject to physical compromise.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179239776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362179239776"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q shadow-utils; then
>
>var_accounts_maximum_age_login_defs='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr>'
>
>
>grep -q ^PASS_MAX_DAYS /etc/login.defs &amp;&amp; \
>  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
>if ! [ $? -eq 0 ]; then
>    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" &gt;&gt; /etc/login.defs
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179237248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362179237248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83606-4
>  - CJIS-5.6.2.1
>  - NIST-800-171-3.5.6
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(d)
>  - NIST-800-53-IA-5(f)
>  - PCI-DSS-Req-8.2.4
>  - accounts_maximum_age_login_defs
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
>  set_fact:
>    var_accounts_maximum_age_login_defs: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr>
>  tags:
>    - always
>
>- name: Set Password Maximum Age
>  lineinfile:
>    create: true
>    dest: /etc/login.defs
>    regexp: ^#?PASS_MAX_DAYS
>    line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
>  when: '"shadow-utils" in ansible_facts.packages'
>  tags:
>  - CCE-83606-4
>  - CJIS-5.6.2.1
>  - NIST-800-171-3.5.6
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(d)
>  - NIST-800-53-IA-5(f)
>  - PCI-DSS-Req-8.2.4
>  - accounts_maximum_age_login_defs
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_pass_max_days:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_max_days_instance_value:var:1</td><td>99999</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-detail-idm46361752684448"><div class="keywords sr-only">Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-83610-6 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_minimum_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83610-6">CCE-83610-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000198</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.3.9</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000075-GPOS-00043</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password minimum age for new accounts,
>edit the file <code>/etc/login.defs</code>
>and add or correct the following line:
><pre>PASS_MIN_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></pre>
>A value of 1 day is considered sufficient for many
>environments. The DoD requirement is 1.
>The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enforcing a minimum password lifetime helps to prevent repeated password
>changes to defeat the password reuse or history enforcement requirement. If
>users are allowed to immediately and continually change their password,
>then the password could be repeatedly changed in a short period of time to
>defeat the organization's policy regarding password reuse.
><br><br>
>Setting the minimum password age protects against users cycling back to a
>favorite password after satisfying the password reuse requirement.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179178464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362179178464"><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q shadow-utils; then
>
>var_accounts_minimum_age_login_defs='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr>'
>
>
>grep -q ^PASS_MIN_DAYS /etc/login.defs &amp;&amp; \
>  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
>if ! [ $? -eq 0 ]; then
>    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" &gt;&gt; /etc/login.defs
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179175936" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362179175936"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83610-6
>  - CJIS-5.6.2.1.1
>  - NIST-800-171-3.5.8
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(d)
>  - NIST-800-53-IA-5(f)
>  - PCI-DSS-Req-8.3.9
>  - accounts_minimum_age_login_defs
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
>  set_fact:
>    var_accounts_minimum_age_login_defs: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr>
>  tags:
>    - always
>
>- name: Set Password Minimum Age
>  lineinfile:
>    create: true
>    dest: /etc/login.defs
>    regexp: ^#?PASS_MIN_DAYS
>    line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
>  when: '"shadow-utils" in ansible_facts.packages'
>  tags:
>  - CCE-83610-6
>  - CJIS-5.6.2.1.1
>  - NIST-800-171-3.5.8
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(d)
>  - NIST-800-53-IA-5(f)
>  - PCI-DSS-Req-8.3.9
>  - accounts_minimum_age_login_defs
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_pass_min_days:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_min_days_instance_value:var:1</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" id="rule-detail-idm46361752671456"><div class="keywords sr-only">Set Password Warning Agexccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs mediumCCE-83609-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Warning Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_warn_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83609-8">CCE-83609-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.3.9</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify how many days prior to password
>expiration that a warning will be issued to users,
>edit the file <code>/etc/login.defs</code> and add or correct
> the following line:
><pre>PASS_WARN_AGE <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs">7</abbr></pre>
>The DoD requirement is 7.
>The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs">7</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the password warning age enables users to
>make the change at a practical time.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_pass_warn_age:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_warn_age_instance_value:var:1</td><td>7</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" id="rule-detail-idm46361752666576"><div class="keywords sr-only">Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed mediumCCE-83618-9 </div><div class="panel-heading"><h3 class="panel-title">Verify All Account Password Hashes are Shadowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_all_shadowed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83618-9">CCE-83618-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">1410</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.1</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">If any password hashes are stored in <code>/etc/passwd</code> (in the second field,
>instead of an <code>x</code> or <code>*</code>), the cause of this misconfiguration should be
>investigated. The account should have its password reset and the hash should be
>properly stored, or the account should be deleted entirely.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The hashes for all user account passwords should be stored in
>the file <code>/etc/shadow</code> and never in <code>/etc/passwd</code>,
>which is readable by all users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">password hashes are shadowed</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_password_all_shadowed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Username</th><th>Password</th><th>User id</th><th>Group id</th><th>Gcos</th><th>Home dir</th><th>Login shell</th><th>Last login</th></tr></thead><tbody><tr><td>shutdown</td><td></td><td role="num">6</td><td role="num">0</td><td>shutdown</td><td>/sbin</td><td>/sbin/shutdown</td><td role="num">0</td></tr><tr><td>sync</td><td></td><td role="num">5</td><td role="num">0</td><td>sync</td><td>/sbin</td><td>/bin/sync</td><td role="num">0</td></tr><tr><td>lp</td><td></td><td role="num">4</td><td role="num">7</td><td>lp</td><td>/var/spool/lpd</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>polkitd</td><td></td><td role="num">998</td><td role="num">996</td><td>User for polkitd</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>systemd-oom</td><td></td><td role="num">988</td><td role="num">988</td><td>systemd Userspace OOM Killer</td><td>/</td><td>/usr/sbin/nologin</td><td role="num">0</td></tr><tr><td>root</td><td></td><td role="num">0</td><td role="num">0</td><td>root</td><td>/root</td><td>/bin/bash</td><td role="num">0</td></tr><tr><td>adm</td><td></td><td role="num">3</td><td role="num">4</td><td>adm</td><td>/var/adm</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>daemon</td><td></td><td role="num">2</td><td role="num">2</td><td>daemon</td><td>/sbin</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>chrony</td><td></td><td role="num">993</td><td role="num">990</td><td>chrony system user</td><td>/var/lib/chrony</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>tcpdump</td><td></td><td role="num">72</td><td role="num">72</td><td></td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>games</td><td></td><td role="num">12</td><td role="num">100</td><td>games</td><td>/usr/games</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>sshd</td><td></td><td role="num">74</td><td role="num">74</td><td>Privilege-separated SSH</td><td>/usr/share/empty.sshd</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>tss</td><td></td><td role="num">59</td><td role="num">59</td><td>Account used for TPM access</td><td>/dev/null</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>ftp</td><td></td><td role="num">14</td><td role="num">50</td><td>FTP User</td><td>/var/ftp</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>rpcuser</td><td></td><td role="num">29</td><td role="num">29</td><td>RPC Service User</td><td>/var/lib/nfs</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>mail</td><td></td><td role="num">8</td><td role="num">12</td><td>mail</td><td>/var/spool/mail</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>setroubleshoot</td><td></td><td role="num">997</td><td role="num">994</td><td>SELinux troubleshoot server</td><td>/var/lib/setroubleshoot</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>halt</td><td></td><td role="num">7</td><td role="num">0</td><td>halt</td><td>/sbin</td><td>/sbin/halt</td><td role="num">0</td></tr><tr><td>cockpit-wsinstance</td><td></td><td role="num">994</td><td role="num">991</td><td>User for cockpit-ws instances</td><td>/nonexisting</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>rpc</td><td></td><td role="num">32</td><td role="num">32</td><td>Rpcbind Daemon</td><td>/var/lib/rpcbind</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>sssd</td><td></td><td role="num">996</td><td role="num">993</td><td>User for sssd</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>systemd-coredump</td><td></td><td role="num">999</td><td role="num">997</td><td>systemd Core Dumper</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>nobody</td><td></td><td role="num">65534</td><td role="num">65534</td><td>Kernel Overflow User</td><td>/</td><td>/sbin/nologin</td><td role="num">-1</td></tr><tr><td>operator</td><td></td><td role="num">11</td><td role="num">0</td><td>operator</td><td>/root</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>dbus</td><td></td><td role="num">81</td><td role="num">81</td><td>System message bus</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>cockpit-ws</td><td></td><td role="num">995</td><td role="num">992</td><td>User for cockpit web service</td><td>/nonexisting</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>bin</td><td></td><td role="num">1</td><td role="num">1</td><td>bin</td><td>/bin</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>quickcluster</td><td></td><td role="num">1000</td><td role="num">1000</td><td>quickcluster</td><td>/home/quickcluster</td><td>/bin/bash</td><td role="num">1689647013</td></tr><tr><td>cloud-user</td><td></td><td role="num">1001</td><td role="num">1001</td><td>Cloud User</td><td>/home/cloud-user</td><td>/bin/bash</td><td role="num">0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-detail-idm46361752651744"><div class="keywords sr-only">Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-83611-4 </div><div class="panel-heading"><h3 class="panel-title">Prevent Login to Accounts With Empty Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_empty_passwords:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83611-4">CCE-83611-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">If an account is configured for password authentication
>but does not have an assigned password, it may be possible to log
>into the account without authentication. Remove any instances of the
><code>nullok</code> in
>
><code>/etc/pam.d/system-auth</code> and
><code>/etc/pam.d/password-auth</code>
>
>to prevent logins with empty passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If an account has an empty password, anyone could log in and
>run commands with the privileges of that account. Accounts with
>empty passwords should never be used in operational environments.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
>will also use <code>authselect</code> tool. However, if any manual modification was made in
>PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
>aborted in order to preserve intentional changes. In this case, an informative message will
>be shown in the remediation report.
>Note that this rule is not applicable for systems running within a
>container. Having user with empty password within a container is not
>considered a risk, because it should not be possible to directly login into
>a container anyway.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362178689152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362178689152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>if [ -f /usr/bin/authselect ]; then
>    if ! authselect check; then
>echo "
>authselect integrity check failed. Remediation aborted!
>This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
>It is not recommended to manually edit the PAM files when authselect tool is available.
>In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
>exit 1
>fi
>authselect enable-feature without-nullok
>
>authselect apply-changes -b
>else
>    
>if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
>    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
>fi
>    
>if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
>    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
>fi
>    
>if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
>    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
>fi
>    
>if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
>    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
>fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362178684720" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362178684720"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
>    authselect
>  ansible.builtin.stat:
>    path: /usr/bin/authselect
>  register: result_authselect_present
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83611-4
>  - CJIS-5.5.2
>  - NIST-800-171-3.1.1
>  - NIST-800-171-3.1.5
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(a)
>  - NIST-800-53-IA-5(c)
>  - PCI-DSS-Req-8.2.3
>  - configure_strategy
>  - high_severity
>  - low_complexity
>  - medium_disruption
>  - no_empty_passwords
>  - no_reboot_needed
>
>- name: Prevent Login to Accounts With Empty Password - Remediate using authselect
>  block:
>
>  - name: Prevent Login to Accounts With Empty Password - Check integrity of authselect
>      current profile
>    ansible.builtin.command:
>      cmd: authselect check
>    register: result_authselect_check_cmd
>    changed_when: false
>    ignore_errors: true
>
>  - name: Prevent Login to Accounts With Empty Password - Informative message based
>      on the authselect integrity check result
>    ansible.builtin.assert:
>      that:
>      - result_authselect_check_cmd is success
>      fail_msg:
>      - authselect integrity check failed. Remediation aborted!
>      - This remediation could not be applied because an authselect profile was not
>        selected or the selected profile is not intact.
>      - It is not recommended to manually edit the PAM files when authselect tool
>        is available.
>      - In cases where the default authselect profile does not cover a specific demand,
>        a custom authselect profile is recommended.
>      success_msg:
>      - authselect integrity check passed
>
>  - name: Prevent Login to Accounts With Empty Password - Get authselect current features
>    ansible.builtin.shell:
>      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
>    register: result_authselect_features
>    changed_when: false
>    when:
>    - result_authselect_check_cmd is success
>
>  - name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok"
>      feature is enabled using authselect tool
>    ansible.builtin.command:
>      cmd: authselect enable-feature without-nullok
>    register: result_authselect_enable_feature_cmd
>    when:
>    - result_authselect_check_cmd is success
>    - result_authselect_features.stdout is not search("without-nullok")
>
>  - name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
>      are applied
>    ansible.builtin.command:
>      cmd: authselect apply-changes -b
>    when:
>    - result_authselect_enable_feature_cmd is not skipped
>    - result_authselect_enable_feature_cmd is success
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - result_authselect_present.stat.exists
>  tags:
>  - CCE-83611-4
>  - CJIS-5.5.2
>  - NIST-800-171-3.1.1
>  - NIST-800-171-3.1.5
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(a)
>  - NIST-800-53-IA-5(c)
>  - PCI-DSS-Req-8.2.3
>  - configure_strategy
>  - high_severity
>  - low_complexity
>  - medium_disruption
>  - no_empty_passwords
>  - no_reboot_needed
>
>- name: Prevent Login to Accounts With Empty Password - Remediate directly editing
>    PAM files
>  ansible.builtin.replace:
>    dest: '{{ item }}'
>    regexp: nullok
>  loop:
>  - /etc/pam.d/system-auth
>  - /etc/pam.d/password-auth
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - not result_authselect_present.stat.exists
>  tags:
>  - CCE-83611-4
>  - CJIS-5.5.2
>  - NIST-800-171-3.1.1
>  - NIST-800-171-3.1.5
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-IA-5(1)(a)
>  - NIST-800-53-IA-5(c)
>  - PCI-DSS-Req-8.2.3
>  - configure_strategy
>  - high_severity
>  - low_complexity
>  - medium_disruption
>  - no_empty_passwords
>  - no_reboot_needed
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362178675104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362178675104"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
>        mode: 0644
>        path: /etc/pam.d/password-auth
>        overwrite: true
>      - contents:
>          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
>        mode: 0644
>        path: /etc/pam.d/system-auth
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">make sure nullok is not used in /etc/pam.d/system-auth</span>Â 
>        <span class="label label-default">oval:ssg-test_no_empty_passwords:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth        required      pam_env.so
>auth        sufficient    pam_unix.so try_first_pass nullok
>auth        required      pam_deny.so
>
>account     required      pam_unix.so
>
>password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
>password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth        required      pam_env.so
>auth        sufficient    pam_unix.so try_first_pass nullok
>auth        required      pam_deny.so
>
>account     required      pam_unix.so
>
>password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
>password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-detail-idm46361752634272"><div class="keywords sr-only">Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-83624-7 </div><div class="panel-heading"><h3 class="panel-title">Verify Only Root Has UID 0</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_no_uid_except_zero:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83624-7">CCE-83624-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.2.9</a></p></td></tr><tr><td>Description</td><td><div class="description">If any account other than root has a UID of 0, this misconfiguration should
>be investigated and the accounts other than root should be removed or have
>their UID changed.
><br>
>If the account is associated with system commands or applications the UID
>should be changed to one greater than "0" but less than "1000."
>Otherwise assign a UID greater than "1000" that has not already been
>assigned.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">An account has root authority if it has a UID of 0. Multiple accounts
>with a UID of 0 afford more opportunity for potential intruders to
>guess a password for a privileged account. Proper configuration of
>sudo is recommended to afford multiple system administrators
>access to root privileges in an accountable manner.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">test that there are no accounts with UID 0 except root in the /etc/passwd file</span>Â 
>        <span class="label label-default">oval:ssg-test_accounts_no_uid_except_root:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_no_uid_except_root:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>^(?!root:)[^:]*:[^:]*:0</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="rule-detail-idm46361752622816"><div class="keywords sr-only">Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-83623-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure that System Accounts Do Not Run a Shell Upon Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_shelllogin_for_systemaccounts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83623-9">CCE-83623-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="">1491</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6.1(iv)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.6.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.2</a></p></td></tr><tr><td>Description</td><td><div class="description">Some accounts are not associated with a human user of the system, and exist to
>perform some administrative function. Should an attacker be able to log into
>these accounts, they should not be granted access to a shell.
><br><br>
>The login shell for each local account is stored in the last field of each line
>in <code>/etc/passwd</code>. System accounts are those user accounts with a user ID
>less than UID_MIN, where value of UID_MIN directive is set in
>/etc/login.defs configuration file. In the default configuration UID_MIN is set
>to 1000, thus system accounts are those user accounts with a user ID less than
>1000. The user ID is stored in the third field. If any system account
><i>SYSACCT</i> (other than root) has a login shell, disable it with the
>command: <pre>$ sudo usermod -s /sbin/nologin <i>SYSACCT</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ensuring shells are not given to system accounts upon login makes it more
>difficult for attackers to make use of system accounts.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                Do not perform the steps in this section on the root account. Doing so might
>cause the system to become inaccessible.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">SYS_UID_MIN not defined in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_sys_uid_min_not_defined:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
># Please note that the parameters in this configuration file control the
># behavior of the tools from the shadow-utils component. None of these
># tools uses the PAM mechanism, and the utilities that use PAM (such as the
># passwd command) should therefore be configured elsewhere. Refer to
># /etc/pam.d/system-auth for more information.
>#
>
>#
># Delay in seconds before being allowed another attempt after a login failure
># Note: When PAM is used, some modules may enforce a minimum delay (e.g.
>#       pam_unix(8) enforces a 2s delay)
>#
>#FAIL_DELAY		3
>
># Currently FAILLOG_ENAB is not supported
>
>#
># Enable display of unknown usernames when login(1) failures are recorded.
>#
>#LOG_UNKFAIL_ENAB	no
>
># Currently LOG_OK_LOGINS is not supported
>
># Currently LASTLOG_ENAB is not supported
>
>#
># Limit the highest user ID number for which the lastlog entries should
># be updated.
>#
># No LASTLOG_UID_MAX means that there is no user ID limit for writing
># lastlog entries.
>#
>#LASTLOG_UID_MAX
>
># Currently MAIL_CHECK_ENAB is not supported
>
># Currently OBSCURE_CHECKS_ENAB is not supported
>
># Currently PORTTIME_CHECKS_ENAB is not supported
>
># Currently QUOTAS_ENAB is not supported
>
># Currently SYSLOG_SU_ENAB is not supported
>
>#
># Enable "syslog" logging of newgrp(1) and sg(1) activity.
>#
>#SYSLOG_SG_ENAB		yes
>
># Currently CONSOLE is not supported
>
># Currently SULOG_FILE is not supported
>
># Currently MOTD_FILE is not supported
>
># Currently ISSUE_FILE is not supported
>
># Currently TTYTYPE_FILE is not supported
>
># Currently FTMP_FILE is not supported
>
># Currently NOLOGINS_FILE is not supported
>
># Currently SU_NAME is not supported
>
># *REQUIRED*
>#   Directory where mailboxes reside, _or_ name of file, relative to the
>#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
>#
>MAIL_DIR	/var/spool/mail
>#MAIL_FILE	.mail
>
>#
># If defined, file which inhibits all the usual chatter during the login
># sequence.  If a full pathname, then hushed mode will be enabled if the
># user's name or shell are found in the file.  If not a full pathname, then
># hushed mode will be enabled if the file exists in the user's home directory.
>#
>#HUSHLOGIN_FILE	.hushlogin
>#HUSHLOGIN_FILE	/etc/hushlogins
>
># Currently ENV_TZ is not supported
>
># Currently ENV_HZ is not supported
>
>#
># The default PATH settings, for superuser and normal users.
>#
># (they are minimal, add the rest in the shell startup files)
>#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
>#ENV_PATH	PATH=/bin:/usr/bin
>
>#
># Terminal permissions
>#
>#	TTYGROUP	Login tty will be assigned this group ownership.
>#	TTYPERM		Login tty will be set to this permission.
>#
># If you have a write(1) program which is "setgid" to a special group
># which owns the terminals, define TTYGROUP as the number of such group
># and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
># set TTYPERM to either 622 or 600.
>#
>#TTYGROUP	tty
>#TTYPERM		0600
>
># Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
>
># Default initial "umask" value used by login(1) on non-PAM enabled systems.
># Default "umask" value for pam_umask(8) on PAM enabled systems.
># UMASK is also used by useradd(8) and newusers(8) to set the mode for new
># home directories if HOME_MODE is not set.
># 022 is the default value, but 027, or even 077, could be considered
># for increased privacy. There is no One True Answer here: each sysadmin
># must make up their mind.
>UMASK		022
>
># HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
># home directories.
># If HOME_MODE is not set, the value of UMASK is used to create the mode.
>HOME_MODE	0700
>
># Password aging controls:
>#
>#	PASS_MAX_DAYS	Maximum number of days a password may be used.
>#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
>#	PASS_MIN_LEN	Minimum acceptable password length.
>#	PASS_WARN_AGE	Number of days warning given before a password expires.
>#
>PASS_MAX_DAYS	99999
>PASS_MIN_DAYS	0
>PASS_WARN_AGE	7
>
># Currently PASS_MIN_LEN is not supported
>
># Currently SU_WHEEL_ONLY is not supported
>
># Currently CRACKLIB_DICTPATH is not supported
>
>#
># Min/max values for automatic uid selection in useradd(8)
>#
>UID_MIN                  1000
>UID_MAX                 60000
># System accounts
>SYS_UID_MIN               201</td></tr></tbody></table><h4><span class="label label-primary">SYS_UID_MAX not defined in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_sys_uid_max_not_defined:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
># Please note that the parameters in this configuration file control the
># behavior of the tools from the shadow-utils component. None of these
># tools uses the PAM mechanism, and the utilities that use PAM (such as the
># passwd command) should therefore be configured elsewhere. Refer to
># /etc/pam.d/system-auth for more information.
>#
>
>#
># Delay in seconds before being allowed another attempt after a login failure
># Note: When PAM is used, some modules may enforce a minimum delay (e.g.
>#       pam_unix(8) enforces a 2s delay)
>#
>#FAIL_DELAY		3
>
># Currently FAILLOG_ENAB is not supported
>
>#
># Enable display of unknown usernames when login(1) failures are recorded.
>#
>#LOG_UNKFAIL_ENAB	no
>
># Currently LOG_OK_LOGINS is not supported
>
># Currently LASTLOG_ENAB is not supported
>
>#
># Limit the highest user ID number for which the lastlog entries should
># be updated.
>#
># No LASTLOG_UID_MAX means that there is no user ID limit for writing
># lastlog entries.
>#
>#LASTLOG_UID_MAX
>
># Currently MAIL_CHECK_ENAB is not supported
>
># Currently OBSCURE_CHECKS_ENAB is not supported
>
># Currently PORTTIME_CHECKS_ENAB is not supported
>
># Currently QUOTAS_ENAB is not supported
>
># Currently SYSLOG_SU_ENAB is not supported
>
>#
># Enable "syslog" logging of newgrp(1) and sg(1) activity.
>#
>#SYSLOG_SG_ENAB		yes
>
># Currently CONSOLE is not supported
>
># Currently SULOG_FILE is not supported
>
># Currently MOTD_FILE is not supported
>
># Currently ISSUE_FILE is not supported
>
># Currently TTYTYPE_FILE is not supported
>
># Currently FTMP_FILE is not supported
>
># Currently NOLOGINS_FILE is not supported
>
># Currently SU_NAME is not supported
>
># *REQUIRED*
>#   Directory where mailboxes reside, _or_ name of file, relative to the
>#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
>#
>MAIL_DIR	/var/spool/mail
>#MAIL_FILE	.mail
>
>#
># If defined, file which inhibits all the usual chatter during the login
># sequence.  If a full pathname, then hushed mode will be enabled if the
># user's name or shell are found in the file.  If not a full pathname, then
># hushed mode will be enabled if the file exists in the user's home directory.
>#
>#HUSHLOGIN_FILE	.hushlogin
>#HUSHLOGIN_FILE	/etc/hushlogins
>
># Currently ENV_TZ is not supported
>
># Currently ENV_HZ is not supported
>
>#
># The default PATH settings, for superuser and normal users.
>#
># (they are minimal, add the rest in the shell startup files)
>#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
>#ENV_PATH	PATH=/bin:/usr/bin
>
>#
># Terminal permissions
>#
>#	TTYGROUP	Login tty will be assigned this group ownership.
>#	TTYPERM		Login tty will be set to this permission.
>#
># If you have a write(1) program which is "setgid" to a special group
># which owns the terminals, define TTYGROUP as the number of such group
># and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
># set TTYPERM to either 622 or 600.
>#
>#TTYGROUP	tty
>#TTYPERM		0600
>
># Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
>
># Default initial "umask" value used by login(1) on non-PAM enabled systems.
># Default "umask" value for pam_umask(8) on PAM enabled systems.
># UMASK is also used by useradd(8) and newusers(8) to set the mode for new
># home directories if HOME_MODE is not set.
># 022 is the default value, but 027, or even 077, could be considered
># for increased privacy. There is no One True Answer here: each sysadmin
># must make up their mind.
>UMASK		022
>
># HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
># home directories.
># If HOME_MODE is not set, the value of UMASK is used to create the mode.
>HOME_MODE	0700
>
># Password aging controls:
>#
>#	PASS_MAX_DAYS	Maximum number of days a password may be used.
>#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
>#	PASS_MIN_LEN	Minimum acceptable password length.
>#	PASS_WARN_AGE	Number of days warning given before a password expires.
>#
>PASS_MAX_DAYS	99999
>PASS_MIN_DAYS	0
>PASS_WARN_AGE	7
>
># Currently PASS_MIN_LEN is not supported
>
># Currently SU_WHEEL_ONLY is not supported
>
># Currently CRACKLIB_DICTPATH is not supported
>
>#
># Min/max values for automatic uid selection in useradd(8)
>#
>UID_MIN                  1000
>UID_MAX                 60000
># System accounts
>SYS_UID_MIN               201
>SYS_UID_MAX               999</td></tr></tbody></table><h4><span class="label label-primary">&lt;0, UID_MIN - 1&gt; system UIDs having shell set</span>Â 
>        <span class="label label-default">oval:ssg-test_shell_defined_default_uid_range:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>quickcluster:x:1000:1000:quickcluster:/home/quickcluster:/bin/bash</td></tr><tr><td>/etc/passwd</td><td>cloud-user:x:1001:1001:Cloud User:/home/cloud-user:/bin/bash</td></tr></tbody></table><h4><span class="label label-primary">SYS_UID_MIN not defined in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_sys_uid_min_not_defined:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
># Please note that the parameters in this configuration file control the
># behavior of the tools from the shadow-utils component. None of these
># tools uses the PAM mechanism, and the utilities that use PAM (such as the
># passwd command) should therefore be configured elsewhere. Refer to
># /etc/pam.d/system-auth for more information.
>#
>
>#
># Delay in seconds before being allowed another attempt after a login failure
># Note: When PAM is used, some modules may enforce a minimum delay (e.g.
>#       pam_unix(8) enforces a 2s delay)
>#
>#FAIL_DELAY		3
>
># Currently FAILLOG_ENAB is not supported
>
>#
># Enable display of unknown usernames when login(1) failures are recorded.
>#
>#LOG_UNKFAIL_ENAB	no
>
># Currently LOG_OK_LOGINS is not supported
>
># Currently LASTLOG_ENAB is not supported
>
>#
># Limit the highest user ID number for which the lastlog entries should
># be updated.
>#
># No LASTLOG_UID_MAX means that there is no user ID limit for writing
># lastlog entries.
>#
>#LASTLOG_UID_MAX
>
># Currently MAIL_CHECK_ENAB is not supported
>
># Currently OBSCURE_CHECKS_ENAB is not supported
>
># Currently PORTTIME_CHECKS_ENAB is not supported
>
># Currently QUOTAS_ENAB is not supported
>
># Currently SYSLOG_SU_ENAB is not supported
>
>#
># Enable "syslog" logging of newgrp(1) and sg(1) activity.
>#
>#SYSLOG_SG_ENAB		yes
>
># Currently CONSOLE is not supported
>
># Currently SULOG_FILE is not supported
>
># Currently MOTD_FILE is not supported
>
># Currently ISSUE_FILE is not supported
>
># Currently TTYTYPE_FILE is not supported
>
># Currently FTMP_FILE is not supported
>
># Currently NOLOGINS_FILE is not supported
>
># Currently SU_NAME is not supported
>
># *REQUIRED*
>#   Directory where mailboxes reside, _or_ name of file, relative to the
>#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
>#
>MAIL_DIR	/var/spool/mail
>#MAIL_FILE	.mail
>
>#
># If defined, file which inhibits all the usual chatter during the login
># sequence.  If a full pathname, then hushed mode will be enabled if the
># user's name or shell are found in the file.  If not a full pathname, then
># hushed mode will be enabled if the file exists in the user's home directory.
>#
>#HUSHLOGIN_FILE	.hushlogin
>#HUSHLOGIN_FILE	/etc/hushlogins
>
># Currently ENV_TZ is not supported
>
># Currently ENV_HZ is not supported
>
>#
># The default PATH settings, for superuser and normal users.
>#
># (they are minimal, add the rest in the shell startup files)
>#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
>#ENV_PATH	PATH=/bin:/usr/bin
>
>#
># Terminal permissions
>#
>#	TTYGROUP	Login tty will be assigned this group ownership.
>#	TTYPERM		Login tty will be set to this permission.
>#
># If you have a write(1) program which is "setgid" to a special group
># which owns the terminals, define TTYGROUP as the number of such group
># and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
># set TTYPERM to either 622 or 600.
>#
>#TTYGROUP	tty
>#TTYPERM		0600
>
># Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
>
># Default initial "umask" value used by login(1) on non-PAM enabled systems.
># Default "umask" value for pam_umask(8) on PAM enabled systems.
># UMASK is also used by useradd(8) and newusers(8) to set the mode for new
># home directories if HOME_MODE is not set.
># 022 is the default value, but 027, or even 077, could be considered
># for increased privacy. There is no One True Answer here: each sysadmin
># must make up their mind.
>UMASK		022
>
># HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
># home directories.
># If HOME_MODE is not set, the value of UMASK is used to create the mode.
>HOME_MODE	0700
>
># Password aging controls:
>#
>#	PASS_MAX_DAYS	Maximum number of days a password may be used.
>#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
>#	PASS_MIN_LEN	Minimum acceptable password length.
>#	PASS_WARN_AGE	Number of days warning given before a password expires.
>#
>PASS_MAX_DAYS	99999
>PASS_MIN_DAYS	0
>PASS_WARN_AGE	7
>
># Currently PASS_MIN_LEN is not supported
>
># Currently SU_WHEEL_ONLY is not supported
>
># Currently CRACKLIB_DICTPATH is not supported
>
>#
># Min/max values for automatic uid selection in useradd(8)
>#
>UID_MIN                  1000
>UID_MAX                 60000
># System accounts
>SYS_UID_MIN               201</td></tr></tbody></table><h4><span class="label label-primary">SYS_UID_MAX not defined in /etc/login.defs</span>Â 
>        <span class="label label-default">oval:ssg-test_sys_uid_max_not_defined:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
># Please note that the parameters in this configuration file control the
># behavior of the tools from the shadow-utils component. None of these
># tools uses the PAM mechanism, and the utilities that use PAM (such as the
># passwd command) should therefore be configured elsewhere. Refer to
># /etc/pam.d/system-auth for more information.
>#
>
>#
># Delay in seconds before being allowed another attempt after a login failure
># Note: When PAM is used, some modules may enforce a minimum delay (e.g.
>#       pam_unix(8) enforces a 2s delay)
>#
>#FAIL_DELAY		3
>
># Currently FAILLOG_ENAB is not supported
>
>#
># Enable display of unknown usernames when login(1) failures are recorded.
>#
>#LOG_UNKFAIL_ENAB	no
>
># Currently LOG_OK_LOGINS is not supported
>
># Currently LASTLOG_ENAB is not supported
>
>#
># Limit the highest user ID number for which the lastlog entries should
># be updated.
>#
># No LASTLOG_UID_MAX means that there is no user ID limit for writing
># lastlog entries.
>#
>#LASTLOG_UID_MAX
>
># Currently MAIL_CHECK_ENAB is not supported
>
># Currently OBSCURE_CHECKS_ENAB is not supported
>
># Currently PORTTIME_CHECKS_ENAB is not supported
>
># Currently QUOTAS_ENAB is not supported
>
># Currently SYSLOG_SU_ENAB is not supported
>
>#
># Enable "syslog" logging of newgrp(1) and sg(1) activity.
>#
>#SYSLOG_SG_ENAB		yes
>
># Currently CONSOLE is not supported
>
># Currently SULOG_FILE is not supported
>
># Currently MOTD_FILE is not supported
>
># Currently ISSUE_FILE is not supported
>
># Currently TTYTYPE_FILE is not supported
>
># Currently FTMP_FILE is not supported
>
># Currently NOLOGINS_FILE is not supported
>
># Currently SU_NAME is not supported
>
># *REQUIRED*
>#   Directory where mailboxes reside, _or_ name of file, relative to the
>#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
>#
>MAIL_DIR	/var/spool/mail
>#MAIL_FILE	.mail
>
>#
># If defined, file which inhibits all the usual chatter during the login
># sequence.  If a full pathname, then hushed mode will be enabled if the
># user's name or shell are found in the file.  If not a full pathname, then
># hushed mode will be enabled if the file exists in the user's home directory.
>#
>#HUSHLOGIN_FILE	.hushlogin
>#HUSHLOGIN_FILE	/etc/hushlogins
>
># Currently ENV_TZ is not supported
>
># Currently ENV_HZ is not supported
>
>#
># The default PATH settings, for superuser and normal users.
>#
># (they are minimal, add the rest in the shell startup files)
>#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
>#ENV_PATH	PATH=/bin:/usr/bin
>
>#
># Terminal permissions
>#
>#	TTYGROUP	Login tty will be assigned this group ownership.
>#	TTYPERM		Login tty will be set to this permission.
>#
># If you have a write(1) program which is "setgid" to a special group
># which owns the terminals, define TTYGROUP as the number of such group
># and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
># set TTYPERM to either 622 or 600.
>#
>#TTYGROUP	tty
>#TTYPERM		0600
>
># Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
>
># Default initial "umask" value used by login(1) on non-PAM enabled systems.
># Default "umask" value for pam_umask(8) on PAM enabled systems.
># UMASK is also used by useradd(8) and newusers(8) to set the mode for new
># home directories if HOME_MODE is not set.
># 022 is the default value, but 027, or even 077, could be considered
># for increased privacy. There is no One True Answer here: each sysadmin
># must make up their mind.
>UMASK		022
>
># HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
># home directories.
># If HOME_MODE is not set, the value of UMASK is used to create the mode.
>HOME_MODE	0700
>
># Password aging controls:
>#
>#	PASS_MAX_DAYS	Maximum number of days a password may be used.
>#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
>#	PASS_MIN_LEN	Minimum acceptable password length.
>#	PASS_WARN_AGE	Number of days warning given before a password expires.
>#
>PASS_MAX_DAYS	99999
>PASS_MIN_DAYS	0
>PASS_WARN_AGE	7
>
># Currently PASS_MIN_LEN is not supported
>
># Currently SU_WHEEL_ONLY is not supported
>
># Currently CRACKLIB_DICTPATH is not supported
>
>#
># Min/max values for automatic uid selection in useradd(8)
>#
>UID_MIN                  1000
>UID_MAX                 60000
># System accounts
>SYS_UID_MIN               201
>SYS_UID_MAX               999</td></tr></tbody></table><h4><span class="label label-primary">&lt;0, SYS_UID_MIN&gt; system UIDs having shell set</span>Â 
>        <span class="label label-default">oval:ssg-test_shell_defined_reserved_uid_range:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>quickcluster:x:1000:1000:quickcluster:/home/quickcluster:/bin/bash</td></tr><tr><td>/etc/passwd</td><td>cloud-user:x:1001:1001:Cloud User:/home/cloud-user:/bin/bash</td></tr></tbody></table><h4><span class="label label-primary">&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set</span>Â 
>        <span class="label label-default">oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>quickcluster:x:1000:1000:quickcluster:/home/quickcluster:/bin/bash</td></tr><tr><td>/etc/passwd</td><td>cloud-user:x:1001:1001:Cloud User:/home/cloud-user:/bin/bash</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_enable_authselect" id="rule-detail-idm46361752918272"><div class="keywords sr-only">Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-89732-2 </div><div class="panel-heading"><h3 class="panel-title">Enable authselect</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_authselect</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_authselect:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-89732-2">CCE-89732-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.1</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure user authentication setup to use the <code>authselect</code> tool.
>If authselect profile is selected, the rule will enable the <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_authselect_profile">sssd</abbr> profile.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Authselect is a successor to authconfig.
>It is a tool to select system authentication and identity sources from a list of supported
>profiles instead of letting the administrator manually build the PAM stack.
>
>That way, it avoids potential breakage of configuration, as it ships several tested profiles
>that are well tested and supported to solve different use-cases.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the <code>sudo authselect select</code> command returns an error informing that the chosen
>profile cannot be selected, it is probably because PAM files have already been modified by
>the administrator. If this is the case, in order to not overwrite the desired changes made
>by the administrator, the current PAM settings should be investigated before forcing the
>selection of the chosen authselect profile.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183515360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183515360"><pre><code>
>var_authselect_profile='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_authselect_profile">sssd</abbr>'
>
>
>authselect select "$var_authselect_profile"
>
>if test "$?" -ne 0; then
>    if rpm --quiet --verify pam; then
>        authselect select --force "$var_authselect_profile"
>    else
>	echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" &gt;&amp;2
>    fi
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183512944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362183512944"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: XCCDF Value var_authselect_profile # promote to variable
>  set_fact:
>    var_authselect_profile: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_authselect_profile">sssd</abbr>
>  tags:
>    - always
>
>- name: Select authselect profile
>  ansible.builtin.command:
>    cmd: authselect select "{{ var_authselect_profile }}"
>  ignore_errors: true
>  register: result_authselect_select
>  tags:
>  - CCE-89732-2
>  - NIST-800-53-AC-3
>  - configure_strategy
>  - enable_authselect
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>
>- name: Verify if PAM has been altered
>  ansible.builtin.command:
>    cmd: rpm -qV pam
>  register: result_altered_authselect
>  ignore_errors: true
>  when: result_authselect_select is failed
>  tags:
>  - CCE-89732-2
>  - NIST-800-53-AC-3
>  - configure_strategy
>  - enable_authselect
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>
>- name: Informative message based on the authselect integrity check
>  ansible.builtin.assert:
>    that:
>    - result_altered_authselect is success
>    fail_msg:
>    - Files in the 'pam' package have been altered, so the authselect configuration
>      won't be forced.
>  tags:
>  - CCE-89732-2
>  - NIST-800-53-AC-3
>  - configure_strategy
>  - enable_authselect
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>
>- name: Force authselect profile select
>  ansible.builtin.command:
>    cmd: authselect select --force "{{ var_authselect_profile }}"
>  when:
>  - result_altered_authselect is success
>  - result_authselect_select is failed
>  tags:
>  - CCE-89732-2
>  - NIST-800-53-AC-3
>  - configure_strategy
>  - enable_authselect
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart</span>Â 
>        <span class="label label-default">oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_fingerprint_symlinked_to_authselect:obj:1</abbr></strong> of type
>                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/fingerprint-auth</td></tr></tbody></table><h4><span class="label label-primary">The 'password-auth' PAM config is a symlink to its authselect counterpart</span>Â 
>        <span class="label label-default">oval:ssg-test_pam_password_symlinked_to_authselect:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_password_symlinked_to_authselect:obj:1</abbr></strong> of type
>                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td></tr></tbody></table><h4><span class="label label-primary">The 'postlogin' PAM config is a symlink to its authselect counterpart</span>Â 
>        <span class="label label-default">oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_postlogin_symlinked_to_authselect:obj:1</abbr></strong> of type
>                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/postlogin</td></tr></tbody></table><h4><span class="label label-primary">The 'smartcard-auth' PAM config is a symlink to its authselect counterpart</span>Â 
>        <span class="label label-default">oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_smartcard_symlinked_to_authselect:obj:1</abbr></strong> of type
>                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/smartcard-auth</td></tr></tbody></table><h4><span class="label label-primary">The 'system-auth' PAM config is a symlink to its authselect counterpart</span>Â 
>        <span class="label label-default">oval:ssg-test_pam_system_symlinked_to_authselect:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_system_symlinked_to_authselect:obj:1</abbr></strong> of type
>                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-detail-idm46361752435232"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-83830-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_dac_modification_chmod:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83830-0">CCE-83830-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="">SRG-OS-000458-VMM-001810</a>, <a href="">SRG-OS-000474-VMM-001940</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.9</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect file permission
>changes for all users and root. If the <code>auditd</code> daemon is configured to
>use the <code>augenrules</code> program to read audit rules during daemon startup
>(the default), add the following line to a file with suffix <code>.rules</code> in
>the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The changing of file permissions could indicate that a user is attempting to
>gain access to information that would otherwise be disallowed. Auditing DAC modifications
>can facilitate the identification of patterns of abuse among both authorized and
>unauthorized users.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                Note that these rules can be configured in a
>number of ways while still achieving the desired effect.  Here the system calls
>have been placed independent of other system calls.  Grouping these system
>calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173451136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362173451136"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># First perform the remediation of the syscall rule
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>	OTHER_FILTERS=""
>	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>	SYSCALL="chmod"
>	KEY="perm_mod"
>	SYSCALL_GROUPING="chmod fchmod fchmodat"
>
>	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173426912" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362173426912"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83830-0
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chmod
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Set architecture for audit chmod tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83830-0
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chmod
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for chmod for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chmod
>      syscall_grouping:
>      - chmod
>      - fchmod
>      - fchmodat
>
>  - name: Check existence of chmod in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
>    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
>        |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chmod
>      syscall_grouping:
>      - chmod
>      - fchmod
>      - fchmodat
>
>  - name: Check existence of chmod in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
>        key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83830-0
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chmod
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for chmod for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chmod
>      syscall_grouping:
>      - chmod
>      - fchmod
>      - fchmodat
>
>  - name: Check existence of chmod in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
>    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
>        |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chmod
>      syscall_grouping:
>      - chmod
>      - fchmod
>      - fchmodat
>
>  - name: Check existence of chmod in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
>        key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83830-0
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chmod
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit chmod</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit chmod</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit chmod</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit chmod</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-detail-idm46361752431232"><div class="keywords sr-only">Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-83812-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_dac_modification_chown:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83812-8">CCE-83812-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="">SRG-OS-000458-VMM-001810</a>, <a href="">SRG-OS-000474-VMM-001940</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.9</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect file permission
>changes for all users and root. If the <code>auditd</code> daemon is configured to
>use the <code>augenrules</code> program to read audit rules during daemon startup
>(the default), add the following line to a file with suffix <code>.rules</code> in
>the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The changing of file permissions could indicate that a user is attempting to
>gain access to information that would otherwise be disallowed. Auditing DAC modifications
>can facilitate the identification of patterns of abuse among both authorized and
>unauthorized users.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                Note that these rules can be configured in a
>number of ways while still achieving the desired effect.  Here the system calls
>have been placed independent of other system calls.  Grouping these system
>calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173296880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362173296880"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># First perform the remediation of the syscall rule
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>	OTHER_FILTERS=""
>	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>	SYSCALL="chown"
>	KEY="perm_mod"
>	SYSCALL_GROUPING="chown fchown fchownat lchown"
>
>	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173280256" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362173280256"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83812-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chown
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Set architecture for audit chown tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83812-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chown
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for chown for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chown
>      syscall_grouping:
>      - chown
>      - fchown
>      - fchownat
>      - lchown
>
>  - name: Check existence of chown in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
>    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
>        |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chown
>      syscall_grouping:
>      - chown
>      - fchown
>      - fchownat
>      - lchown
>
>  - name: Check existence of chown in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
>        key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83812-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chown
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for chown for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chown
>      syscall_grouping:
>      - chown
>      - fchown
>      - fchownat
>      - lchown
>
>  - name: Check existence of chown in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
>    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
>        |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - chown
>      syscall_grouping:
>      - chown
>      - fchown
>      - fchownat
>      - lchown
>
>  - name: Check existence of chown in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
>        key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=perm_mod
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83812-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_dac_modification_chown
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit chown</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_chown_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chown_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit chown</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_chown_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chown_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit chown</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_chown_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chown_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit chown</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_chown_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chown_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" id="rule-detail-idm46361752386592"><div class="keywords sr-only">Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-83748-4 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run chcon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_chcon:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83748-4">CCE-83748-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.15</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
>of the <code>chcon</code> command for all users and root. If the <code>auditd</code>
>daemon is configured to use the <code>augenrules</code> program to read audit rules
>during daemon startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362171103104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362171103104"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>ACTION_ARCH_FILTERS="-a always,exit"
>OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x"
>AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>SYSCALL=""
>KEY="privileged"
>SYSCALL_GROUPING=""
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362171087360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362171087360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83748-4
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_chcon
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for /usr/bin/chcon
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
>    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F
>        auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
>        -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
>        -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset
>        (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
>        -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83748-4
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_chcon
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules chcon</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl chcon</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" id="rule-detail-idm46361752382592"><div class="keywords sr-only">Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-83749-2 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run restorecon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_restorecon:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83749-2">CCE-83749-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
>of the <code>restorecon</code> command for all users and root. If the <code>auditd</code>
>daemon is configured to use the <code>augenrules</code> program to read audit rules
>during daemon startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362171012432" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362171012432"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>ACTION_ARCH_FILTERS="-a always,exit"
>OTHER_FILTERS="-F path=/usr/sbin/restorecon -F perm=x"
>AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>SYSCALL=""
>KEY="privileged"
>SYSCALL_GROUPING=""
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170986336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170986336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83749-2
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_restorecon
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for /usr/sbin/restorecon
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
>    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/restorecon -F perm=x
>        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/restorecon
>        -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
>        -S |,)\w+)+)( -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset
>        (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/restorecon
>        -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83749-2
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_restorecon
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules restorecon</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl restorecon</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" id="rule-detail-idm46361752378592"><div class="keywords sr-only">Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-83750-0 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run semanage</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_semanage:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83750-0">CCE-83750-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
>of the <code>semanage</code> command for all users and root. If the <code>auditd</code>
>daemon is configured to use the <code>augenrules</code> program to read audit rules
>during daemon startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170899824" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170899824"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>ACTION_ARCH_FILTERS="-a always,exit"
>OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x"
>AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>SYSCALL=""
>KEY="privileged"
>SYSCALL_GROUPING=""
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170884288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170884288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83750-0
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_semanage
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for /usr/sbin/semanage
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
>    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x
>        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
>        -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset
>        (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83750-0
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_semanage
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules semanage</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl semanage</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" id="rule-detail-idm46361752374592"><div class="keywords sr-only">Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-83736-9 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setfiles</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_setfiles:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83736-9">CCE-83736-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
>of the <code>setfiles</code> command for all users and root. If the <code>auditd</code>
>daemon is configured to use the <code>augenrules</code> program to read audit rules
>during daemon startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170852768" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170852768"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>ACTION_ARCH_FILTERS="-a always,exit"
>OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x"
>AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>SYSCALL=""
>KEY="privileged"
>SYSCALL_GROUPING=""
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170837040" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170837040"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83736-9
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_setfiles
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for /usr/sbin/setfiles
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
>    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x
>        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
>        -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset
>        (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83736-9
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_setfiles
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules setfiles</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl setfiles</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" id="rule-detail-idm46361752370592"><div class="keywords sr-only">Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-83751-8 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setsebool</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_setsebool:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83751-8">CCE-83751-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
>of the <code>setsebool</code> command for all users and root. If the <code>auditd</code>
>daemon is configured to use the <code>augenrules</code> program to read audit rules
>during daemon startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170756128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170756128"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>ACTION_ARCH_FILTERS="-a always,exit"
>OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x"
>AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>SYSCALL=""
>KEY="privileged"
>SYSCALL_GROUPING=""
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170740304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170740304"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83751-8
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_setsebool
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for /usr/sbin/setsebool
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
>    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x
>        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
>        -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset
>        (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83751-8
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_setsebool
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules setsebool</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl setsebool</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" id="rule-detail-idm46361752366592"><div class="keywords sr-only">Record Any Attempts to Run seunsharexccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare mediumCCE-83746-8 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run seunshare</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_seunshare:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83746-8">CCE-83746-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
>of the <code>seunshare</code> command for all users and root. If the <code>auditd</code>
>daemon is configured to use the <code>augenrules</code> program to read audit rules
>during daemon startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170710944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170710944"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>ACTION_ARCH_FILTERS="-a always,exit"
>OTHER_FILTERS="-F path=/usr/sbin/seunshare -F perm=x"
>AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>SYSCALL=""
>KEY="privileged"
>SYSCALL_GROUPING=""
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170695120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170695120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83746-8
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_seunshare
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for /usr/sbin/seunshare
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
>    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/seunshare -F perm=x
>        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/seunshare -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls: []
>      syscall_grouping: []
>
>  - name: Check existence of  in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
>        path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
>        -S |,)\w+)+)( -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset
>        (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/seunshare -F
>        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83746-8
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - audit_rules_execution_seunshare
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules seunshare</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_seunshare_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_seunshare_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl seunshare</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_execution_seunshare_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_seunshare_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" id="rule-detail-idm46361752285856"><div class="keywords sr-only">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification mediumCCE-83793-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_unsuccessful_file_modification:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83793-0">CCE-83793-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum the audit system should collect unauthorized file
>accesses for all users and root. If the <code>auditd</code> daemon is configured
>to use the <code>augenrules</code> program to read audit rules during daemon
>startup (the default), add the following lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>
>If the system is 64 bit then also add the following lines:
><pre>
>-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
>-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>
>If the system is 64 bit then also add the following lines:
><pre>
>-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
>-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
>these events could serve as evidence of potential system compromise.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule checks for multiple syscalls related to unsuccessful file modification;
>it was written with DISA STIG in mind. Other policies should use a
>separate rule for each syscall that needs to be checked. For example:
><ul><li><code>audit_rules_unsuccessful_file_modification_open</code></li><li><code>audit_rules_unsuccessful_file_modification_ftruncate</code></li><li><code>audit_rules_unsuccessful_file_modification_creat</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362169398720" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362169398720"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation of the syscall rule
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>
>	# First fix the -EACCES requirement
>	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>	OTHER_FILTERS="-F exit=-EACCES"
>	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>	SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
>	KEY="access"
>	SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
>	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>	# Then fix the -EPERM requirement
>	# No need to change content of $GROUP variable - it's the same as for -EACCES case above
>	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>	OTHER_FILTERS="-F exit=-EPERM"
>	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>	SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
>	KEY="access"
>	SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
>	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" id="rule-detail-idm46361752202864"><div class="keywords sr-only">Ensure auditd Collects Information on Kernel Module Loading and Unloadingxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading mediumCCE-83804-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_kernel_module_loading:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83804-5">CCE-83804-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</a></p></td></tr><tr><td>Description</td><td><div class="description">To capture kernel module loading and unloading events, use following lines, setting ARCH to
>either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
><pre>
>-a always,exit -F arch=<i>ARCH</i> -S init_module,finit_module,delete_module -F key=modules
></pre>
>
>The place to add the lines depends on a way <code>auditd</code> daemon is configured. If it is configured
>to use the <code>augenrules</code> program (the default), add the lines to a file with suffix
><code>.rules</code> in the directory <code>/etc/audit/rules.d</code>.
>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility,
>add the lines to file <code>/etc/audit/audit.rules</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The addition/removal of kernel modules can be used to alter the behavior of
>the kernel and potentially introduce malicious code into kernel space. It is important
>to have an audit trail of modules that have been introduced into the kernel.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362165215776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362165215776"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># First perform the remediation of the syscall rule
># Retrieve hardware architecture of the underlying system
># Note: 32-bit and 64-bit kernel syscall numbers not always line up =&gt;
>#       it's required on a 64-bit system to check also for the presence
>#       of 32-bit's equivalent of the corresponding rule.
>#       (See `man 7 audit.rules` for details )
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        OTHER_FILTERS=""
>        
>        AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
>        
>        SYSCALL="init_module finit_module delete_module"
>        KEY="modules"
>        SYSCALL_GROUPING="init_module finit_module delete_module"
>        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>        unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>        unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362165201248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362165201248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83804-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.7
>  - audit_rules_kernel_module_loading
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Set architecture for audit tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83804-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.7
>  - audit_rules_kernel_module_loading
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for kernel module loading for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - init_module
>      - delete_module
>      - finit_module
>      syscall_grouping:
>      - init_module
>      - delete_module
>      - finit_module
>
>  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
>    set_fact: audit_file="/etc/audit/rules.d/modules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
>        |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=modules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - init_module
>      - delete_module
>      - finit_module
>      syscall_grouping:
>      - init_module
>      - delete_module
>      - finit_module
>
>  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
>        key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=modules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83804-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.7
>  - audit_rules_kernel_module_loading
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for kernel module loading for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - init_module
>      - delete_module
>      - finit_module
>      syscall_grouping:
>      - init_module
>      - delete_module
>      - finit_module
>
>  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
>    set_fact: audit_file="/etc/audit/rules.d/modules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
>        |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=modules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - init_module
>      - delete_module
>      - finit_module
>      syscall_grouping:
>      - init_module
>      - delete_module
>      - finit_module
>
>  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
>        key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
>        -F auid!=unset -F key=modules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83804-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.7
>  - audit_rules_kernel_module_loading
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit init_module</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit init_module</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit init_module</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit init_module</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit delete_module</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit delete_module</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit delete_module</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit delete_module</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit finit_module</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit finit_module</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit finit_module</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit finit_module</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events" id="rule-detail-idm46361752190704"><div class="keywords sr-only">Record Attempts to Alter Logon and Logout Eventsxccdf_org.ssgproject.content_rule_audit_rules_login_events mediumCCE-83784-9 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83784-9">CCE-83784-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
>and root. If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/tallylog -p wa -k logins
>-w /var/log/faillock -p wa -k logins
>-w /var/log/lastlog -p wa -k logins</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/tallylog -p wa -k logins
>-w /var/log/faillock -p wa -k logins
>-w /var/log/lastlog -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
>as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule checks for multiple syscalls related to login events;
>it was written with DISA STIG in mind. Other policies should use a
>separate rule for each syscall that needs to be checked. For example:
><ul><li><code>audit_rules_login_events_tallylog</code></li><li><code>audit_rules_login_events_faillock</code></li><li><code>audit_rules_login_events_lastlog</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164652304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164652304"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/logins.rules"
>    # If the logins.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/logins.rules"
>    # If the logins.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/logins.rules"
>    # If the logins.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules tallylog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_tallylog_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl tallylog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_tallylog_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules faillock</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_faillock_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl faillock</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_faillock_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules lastlog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_lastlog_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl lastlog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_lastlog_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" id="rule-detail-idm46361752186720"><div class="keywords sr-only">Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-83783-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - faillock</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events_faillock:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83783-1">CCE-83783-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</a>, <a href="">SRG-OS-000473-VMM-001930</a>, <a href="">SRG-OS-000470-VMM-001900</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.12</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
>and root. If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/faillock -p wa -k logins</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/faillock -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
>as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164511856" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164511856"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/logins.rules"
>    # If the logins.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164502336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362164502336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/faillock already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/var/log/faillock\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key logins
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)logins$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/logins.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/faillock in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /var/log/faillock -p wa -k logins
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/faillock already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/var/log/faillock\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/faillock in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /var/log/faillock -p wa -k logins
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83783-1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_faillock
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules faillock</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_faillock_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl faillock</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_faillock_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" id="rule-detail-idm46361752182720"><div class="keywords sr-only">Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-83785-6 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - lastlog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events_lastlog:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83785-6">CCE-83785-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="">SRG-OS-000473-VMM-001930</a>, <a href="">SRG-OS-000470-VMM-001900</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.12</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
>and root. If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/lastlog -p wa -k logins</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/lastlog -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
>as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164387472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164387472"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/logins.rules"
>    # If the logins.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164379296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362164379296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/lastlog already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key logins
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)logins$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/logins.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/lastlog in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /var/log/lastlog -p wa -k logins
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/lastlog already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/lastlog in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /var/log/lastlog -p wa -k logins
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83785-6
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_lastlog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules lastlog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_lastlog_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl lastlog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_lastlog_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" id="rule-detail-idm46361752178720"><div class="keywords sr-only">Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-83782-3 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - tallylog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events_tallylog:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83782-3">CCE-83782-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</a>, <a href="">SRG-OS-000473-VMM-001930</a>, <a href="">SRG-OS-000470-VMM-001900</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
>and root. If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/tallylog -p wa -k logins</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
>edits of files involved in storing logon events:
><pre>-w /var/log/tallylog -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
>as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164271184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164271184"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/logins.rules"
>    # If the logins.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164261488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362164261488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/tallylog already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/var/log/tallylog\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key logins
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)logins$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/logins.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/tallylog in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /var/log/tallylog -p wa -k logins
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/tallylog already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/var/log/tallylog\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/tallylog in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /var/log/tallylog -p wa -k logins
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83782-3
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_login_events_tallylog
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules tallylog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_tallylog_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl tallylog</span>Â 
>        <span class="label label-default">oval:ssg-test_arle_tallylog_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" id="rule-detail-idm46361752163904"><div class="keywords sr-only">Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-83759-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_privileged_commands:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83759-1">CCE-83759-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO08.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002234</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.CO-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000327-GPOS-00127</a>, <a href="">SRG-OS-000471-VMM-001910</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.6</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system should collect information about usage of privileged
>commands for all users and root. To find the relevant setuid /
>setgid programs, run the following command for each local partition
><i>PART</i>:
><pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2&gt;/dev/null</pre>
>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code>
>program to read audit rules during daemon startup (the default), add a line of
>the following form to a file with suffix <code>.rules</code> in the directory
><code>/etc/audit/rules.d</code> for each setuid / setgid program on the system,
>replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid /
>setgid program in the list:
><pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add a line of the following
>form to <code>/etc/audit/audit.rules</code> for each setuid / setgid program on the
>system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that
>setuid / setgid program in the list:
><pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
>authorized users, or by unauthorized external entities that have compromised system accounts,
>is a serious and ongoing concern and can have significant adverse impacts on organizations.
>Auditing the use of privileged functions is one way to detect such misuse and identify
>the risk from insider and advanced persistent threats.
><br><br>
>Privileged programs are subject to escalation-of-privilege attacks,
>which attempt to subvert their normal role of providing some necessary but
>limited capability. As such, motivation exists to monitor these programs for
>unusual activity.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule checks for multiple syscalls related to privileged commands;
>it was written with DISA STIG in mind. Other policies should use a
>separate rule for each syscall that needs to be checked. For example:
><ul><li><code>audit_rules_privileged_commands_su</code></li><li><code>audit_rules_privileged_commands_umount</code></li><li><code>audit_rules_privileged_commands_passwd</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362163959424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362163959424"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>files_to_inspect=()
>
># If the audit tool is 'auditctl', then:
># * add '/etc/audit/audit.rules'to the list of files to be inspected,
># * specify '/etc/audit/audit.rules' as the output audit file, where
>#   missing rules should be inserted
>files_to_inspect=("/etc/audit/audit.rules")
>output_audit_file="/etc/audit/audit.rules"
>
># Obtain the list of SUID/SGID binaries on the particular system (split by newline)
># into privileged_binaries array
>privileged_binaries=()
>readarray -t privileged_binaries &lt; &lt;(find / -not $ -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs $ -type f $ -perm -4000 -o -perm -2000 $ 2&gt; /dev/null)
>
># Keep list of SUID/SGID binaries that have been already handled within some previous iteration
>sbinaries_to_skip=()
>
># For each found sbinary in privileged_binaries list
>for sbinary in "${privileged_binaries[@]}"
>do
>
>    # Check if this sbinary wasn't already handled in some of the previous sbinary iterations
>    # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
>    if [[ $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
>    then
>        # If so, don't process it second time &amp; go to process next sbinary
>        continue
>    fi
>
>    # Reset the counter of inspected files when starting to check
>    # presence of existing audit rule for new sbinary
>    count_of_inspected_files=0
>
>    # Define expected rule form for this binary
>    expected_rule="-a always,exit -F path=${sbinary} -F auid&gt;=1000 -F auid!=unset -F key=privileged"
>
>    # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
>    if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
>        echo "$expected_rule" &gt;&gt; "$output_audit_file"
>        continue
>    fi
>
>    # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
>    sbinary_esc=${sbinary//$'/'/$'\/'}
>
>    # For each audit rules file from the list of files to be inspected
>    for afile in "${files_to_inspect[@]}"
>    do
>        # Search current audit rules file's content for match. Match criteria:
>        # * existing rule is for the same SUID/SGID binary we are currently processing (but
>        #   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
>        # * existing rule contains all arguments from expected rule form (though can contain
>        #   them in arbitrary order)
>
>        base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
>                -e '/-F path=[^[:space:]]\+/!d'						\
>                -e '/-F auid&gt;='"1000"'/!d' -e '/-F auid!=$4294967295\|unset$/!d'	\
>                -e '/-k \|-F key=/!d' "$afile")
>
>        # Increase the count of inspected files for this sbinary
>        count_of_inspected_files=$((count_of_inspected_files + 1))
>
>        # Search current audit rules file's content for presence of rule pattern for this sbinary
>        if [[ $base_search ]]
>        then
>
>            # Current audit rules file already contains rule for this binary =&gt;
>            # Store the exact form of found rule for this binary for further processing
>            concrete_rule=$base_search
>
>            # Select all other SUID/SGID binaries possibly also present in the found rule
>
>            readarray -t handled_sbinaries &lt; &lt;(grep -o -e "-F path=[^[:space:]]\+" &lt;&lt;&lt; "$concrete_rule")
>            handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
>
>            # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
>            readarray -t sbinaries_to_skip &lt; &lt;(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
>
>            # if there is a -F perm flag, remove it
>            if grep -q '.*-F\s\+perm=[rwxa]\+.*' &lt;&lt;&lt; "$concrete_rule"; then
>
>                # Separate concrete_rule into three sections using hash '#'
>                # sign as a delimiter around rule's permission section borders
>                # note that the trailing space after perm flag is captured because there would be
>                # two consecutive spaces after joining remaining parts of the rule together
>                concrete_rule="$(echo "$concrete_rule" | sed -n "s/$.*$\+$-F perm=[rwax]\+\ \?$\+/\1#\2#/p")"
>
>                # Split concrete_rule into head and tail sections using hash '#' delimiter
>                # The second column contains the permission section, which we don't need to extract
>                rule_head=$(cut -d '#' -f 1 &lt;&lt;&lt; "$concrete_rule")
>                rule_tail=$(cut -d '#' -f 3 &lt;&lt;&lt; "$concrete_rule")
>
>                # Remove permissions section from existing rule in the file
>                sed -i "s#${rule_head}$.*$${rule_tail}#${rule_head}${rule_tail}#" "$afile"
>            fi
>        # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
>        #
>        # * in the "auditctl" mode of operation insert particular rule each time
>        #   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
>        #
>        # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
>        #   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
>        #   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
>        #
>	
>	else
>            # Check if this sbinary wasn't already handled in some of the previous afile iterations
>            # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
>            if [[ ! $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
>            then
>                # Current audit rules file's content doesn't contain expected rule for this
>                # SUID/SGID binary yet =&gt; append it
>                echo "$expected_rule" &gt;&gt; "$output_audit_file"
>            fi
>            continue
>        fi
>    done
>done
>files_to_inspect=()
># If the audit tool is 'augenrules', then:
># * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
>#   (split by newline),
># * specify /etc/audit/rules.d/privileged.rules' as the output file, where
>#   missing rules should be inserted
>readarray -t files_to_inspect &lt; &lt;(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)
>output_audit_file="/etc/audit/rules.d/privileged.rules"
>
># Obtain the list of SUID/SGID binaries on the particular system (split by newline)
># into privileged_binaries array
>privileged_binaries=()
>readarray -t privileged_binaries &lt; &lt;(find / -not $ -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs $ -type f $ -perm -4000 -o -perm -2000 $ 2&gt; /dev/null)
>
># Keep list of SUID/SGID binaries that have been already handled within some previous iteration
>sbinaries_to_skip=()
>
># For each found sbinary in privileged_binaries list
>for sbinary in "${privileged_binaries[@]}"
>do
>
>    # Check if this sbinary wasn't already handled in some of the previous sbinary iterations
>    # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
>    if [[ $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
>    then
>        # If so, don't process it second time &amp; go to process next sbinary
>        continue
>    fi
>
>    # Reset the counter of inspected files when starting to check
>    # presence of existing audit rule for new sbinary
>    count_of_inspected_files=0
>
>    # Define expected rule form for this binary
>    expected_rule="-a always,exit -F path=${sbinary} -F auid&gt;=1000 -F auid!=unset -F key=privileged"
>
>    # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
>    if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
>        echo "$expected_rule" &gt;&gt; "$output_audit_file"
>        continue
>    fi
>
>    # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
>    sbinary_esc=${sbinary//$'/'/$'\/'}
>
>    # For each audit rules file from the list of files to be inspected
>    for afile in "${files_to_inspect[@]}"
>    do
>        # Search current audit rules file's content for match. Match criteria:
>        # * existing rule is for the same SUID/SGID binary we are currently processing (but
>        #   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
>        # * existing rule contains all arguments from expected rule form (though can contain
>        #   them in arbitrary order)
>
>        base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
>                -e '/-F path=[^[:space:]]\+/!d'						\
>                -e '/-F auid&gt;='"1000"'/!d' -e '/-F auid!=$4294967295\|unset$/!d'	\
>                -e '/-k \|-F key=/!d' "$afile")
>
>        # Increase the count of inspected files for this sbinary
>        count_of_inspected_files=$((count_of_inspected_files + 1))
>
>        # Search current audit rules file's content for presence of rule pattern for this sbinary
>        if [[ $base_search ]]
>        then
>
>            # Current audit rules file already contains rule for this binary =&gt;
>            # Store the exact form of found rule for this binary for further processing
>            concrete_rule=$base_search
>
>            # Select all other SUID/SGID binaries possibly also present in the found rule
>
>            readarray -t handled_sbinaries &lt; &lt;(grep -o -e "-F path=[^[:space:]]\+" &lt;&lt;&lt; "$concrete_rule")
>            handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
>
>            # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
>            readarray -t sbinaries_to_skip &lt; &lt;(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
>
>            # if there is a -F perm flag, remove it
>            if grep -q '.*-F\s\+perm=[rwxa]\+.*' &lt;&lt;&lt; "$concrete_rule"; then
>
>                # Separate concrete_rule into three sections using hash '#'
>                # sign as a delimiter around rule's permission section borders
>                # note that the trailing space after perm flag is captured because there would be
>                # two consecutive spaces after joining remaining parts of the rule together
>                concrete_rule="$(echo "$concrete_rule" | sed -n "s/$.*$\+$-F perm=[rwax]\+\ \?$\+/\1#\2#/p")"
>
>                # Split concrete_rule into head and tail sections using hash '#' delimiter
>                # The second column contains the permission section, which we don't need to extract
>                rule_head=$(cut -d '#' -f 1 &lt;&lt;&lt; "$concrete_rule")
>                rule_tail=$(cut -d '#' -f 3 &lt;&lt;&lt; "$concrete_rule")
>
>                # Remove permissions section from existing rule in the file
>                sed -i "s#${rule_head}$.*$${rule_tail}#${rule_head}${rule_tail}#" "$afile"
>            fi
>        # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
>        #
>        # * in the "auditctl" mode of operation insert particular rule each time
>        #   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
>        #
>        # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
>        #   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
>        #   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
>        #
>	elif [[ $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
>        then
>	
>            # Check if this sbinary wasn't already handled in some of the previous afile iterations
>            # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
>            if [[ ! $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
>            then
>                # Current audit rules file's content doesn't contain expected rule for this
>                # SUID/SGID binary yet =&gt; append it
>                echo "$expected_rule" &gt;&gt; "$output_audit_file"
>            fi
>            continue
>        fi
>    done
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362163941040" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362163941040"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83759-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.2
>  - audit_rules_privileged_commands
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search for privileged commands
>  shell: |
>    set -o pipefail
>    find / -not $ -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs $ -type f $ -perm -4000 -o -perm -2000 $ 2&gt; /dev/null
>  args:
>    executable: /bin/bash
>  check_mode: false
>  register: find_result
>  changed_when: false
>  failed_when: false
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83759-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.2
>  - audit_rules_privileged_commands
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for audit rule entries
>  find:
>    paths: /etc/audit/rules.d
>    recurse: false
>    contains: ^.*path={{ item }} .*$
>    patterns: '*.rules'
>  with_items:
>  - '{{ find_result.stdout_lines }}'
>  register: files_result
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83759-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.2
>  - audit_rules_privileged_commands
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Overwrites the rule in rules.d
>  lineinfile:
>    path: '{{ item.1.path }}'
>    line: -a always,exit -F path={{ item.0.item }} -F auid&gt;=1000 -F auid!=unset -F
>      key=privileged
>    create: false
>    regexp: ^.*path={{ item.0.item }} .*$
>  with_subelements:
>  - '{{ files_result.results }}'
>  - files
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83759-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.2
>  - audit_rules_privileged_commands
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Adds the rule in rules.d
>  lineinfile:
>    path: /etc/audit/rules.d/privileged.rules
>    line: -a always,exit -F path={{ item.item }} -F auid&gt;=1000 -F auid!=unset -F key=privileged
>    create: true
>  with_items:
>  - '{{ files_result.results }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - files_result.results is defined and item.matched == 0
>  tags:
>  - CCE-83759-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.2
>  - audit_rules_privileged_commands
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Inserts/replaces the rule in audit.rules
>  lineinfile:
>    path: /etc/audit/audit.rules
>    line: -a always,exit -F path={{ item.item }} -F auid&gt;=1000 -F auid!=unset -F key=privileged
>    create: true
>    regexp: ^.*path={{ item.item }} .*$
>  with_items:
>  - '{{ files_result.results }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83759-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(4)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.2
>  - audit_rules_privileged_commands
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules suid sgid</span>Â 
>        <span class="label label-default">oval:ssg-test_arpc_suid_sgid_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arpc_suid_sgid_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th><th>Filter</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid&gt;=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td><td>oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules binaries count matches rules count</span>Â 
>        <span class="label label-default">oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1</span>Â 
>        <span class="label label-danger">error</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1</td><td>20</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl suid sgid</span>Â 
>        <span class="label label-default">oval:ssg-test_arpc_suid_sgid_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arpc_suid_sgid_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid&gt;=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td><td>oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl binaries count matches rules count</span>Â 
>        <span class="label label-default">oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1</span>Â 
>        <span class="label label-danger">error</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1</td><td>20</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" id="rule-detail-idm46361752091856"><div class="keywords sr-only">Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-83840-9 </div><div class="panel-heading"><h3 class="panel-title">Record attempts to alter time through adjtimex</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_adjtimex:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83840-9">CCE-83840-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following line to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
>The -k option allows for the specification of a key in string form that can be
>used for better reporting capability through ausearch and aureport. Multiple
>system calls can be defined on the same line to save space if desired, but is
>not required. See an example of multiple combined syscalls:
><pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
>nefarious activities in log files, as well as to confuse network services that
>are highly dependent upon an accurate system time (such as sshd). All changes
>to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161657520" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161657520"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>    # Create expected audit group and audit rule form for particular system call &amp; architecture
>    if [ ${ARCH} = "b32" ]
>    then
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
>        # so append it to the list of time group system calls to be audited
>        SYSCALL="adjtimex settimeofday stime"
>        SYSCALL_GROUPING="adjtimex settimeofday stime"
>    elif [ ${ARCH} = "b64" ]
>    then
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
>        # therefore don't add it to the list of time group system calls to be audited
>        SYSCALL="adjtimex settimeofday"
>        SYSCALL_GROUPING="adjtimex settimeofday"
>    fi
>    OTHER_FILTERS=""
>    AUID_FILTERS=""
>    KEY="audit_time_rules"
>    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>    unset syscall_a
>    unset syscall_grouping
>    unset syscall_string
>    unset syscall
>    unset file_to_edit
>    unset rule_to_edit
>    unset rule_syscalls_to_edit
>    unset other_string
>    unset auid_string
>    unset full_rule
>
>    # Load macro arguments into arrays
>    read -a syscall_a &lt;&lt;&lt; $SYSCALL
>    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
>    # Create a list of audit *.rules files that should be inspected for presence and correctness
>    # of a particular audit rule. The scheme is as follows:
>    #
>    # -----------------------------------------------------------------------------------------
>    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
>    # -----------------------------------------------------------------------------------------
>    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
>    # -----------------------------------------------------------------------------------------
>    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
>    # -----------------------------------------------------------------------------------------
>    #
>    files_to_inspect=()
>
>
>    # If audit tool is 'augenrules', then check if the audit rule is defined
>    # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
>    # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>    default_file="/etc/audit/rules.d/$KEY.rules"
>    # As other_filters may include paths, lets use a different delimiter for it
>    # The "F" script expression tells sed to print the filenames where the expressions matched
>    readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
>    # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>    if [ ${#files_to_inspect[@]} -eq "0" ]
>    then
>        file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>        files_to_inspect=("$file_to_inspect")
>        if [ ! -e "$file_to_inspect" ]
>        then
>            touch "$file_to_inspect"
>            chmod 0640 "$file_to_inspect"
>        fi
>    fi
>
>    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>    skip=1
>
>    for audit_file in "${files_to_inspect[@]}"
>    do
>        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>        # i.e, collect rules that match:
>        # * the action, list and arch, (2-nd argument)
>        # * the other filters, (3-rd argument)
>        # * the auid filters, (4-rd argument)
>        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>        candidate_rules=()
>        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>        for s_rule in "${similar_rules[@]}"
>        do
>            # Strip all the options and fields we know of,
>            # than check if there was any field left over
>            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>        done
>
>        if [[ ${#syscall_a[@]} -ge 1 ]]
>        then
>            # Check if the syscall we want is present in any of the similar existing rules
>            for rule in "${candidate_rules[@]}"
>            do
>                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>                all_syscalls_found=0
>                for syscall in "${syscall_a[@]}"
>                do
>                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                       # A syscall was not found in the candidate rule
>                       all_syscalls_found=1
>                       }
>                done
>                if [[ $all_syscalls_found -eq 0 ]]
>                then
>                    # We found a rule with all the syscall(s) we want; skip rest of macro
>                    skip=0
>                    break
>                fi
>
>                # Check if this rule can be grouped with our target syscall and keep track of it
>                for syscall_g in "${syscall_grouping[@]}"
>                do
>                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                    then
>                        file_to_edit=${audit_file}
>                        rule_to_edit=${rule}
>                        rule_syscalls_to_edit=${rule_syscalls}
>                    fi
>                done
>            done
>        else
>            # If there is any candidate rule, it is compliant; skip rest of macro
>            if [ "${#candidate_rules[@]}" -gt 0 ]
>            then
>                skip=0
>            fi
>        fi
>
>        if [ "$skip" -eq 0 ]; then
>            break
>        fi
>    done
>
>    if [ "$skip" -ne 0 ]; then
>        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>        # At this point we know if we need to either append the $full_rule or group
>        # the syscall together with an exsiting rule
>
>        # Append the full_rule if it cannot be grouped to any other rule
>        if [ -z ${rule_to_edit+x} ]
>        then
>            # Build full_rule while avoid adding double spaces when other_filters is empty
>            if [ "${#syscall_a[@]}" -gt 0 ]
>            then
>                syscall_string=""
>                for syscall in "${syscall_a[@]}"
>                do
>                    syscall_string+=" -S $syscall"
>                done
>            fi
>            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>            echo "$full_rule" &gt;&gt; "$default_file"
>            chmod o-rwx ${default_file}
>        else
>            # Check if the syscalls are declared as a comma separated list or
>            # as multiple -S parameters
>            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>            then
>                delimiter=","
>            else
>                delimiter=" -S "
>            fi
>            new_grouped_syscalls="${rule_syscalls_to_edit}"
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>                   # A syscall was not found in the candidate rule
>                   new_grouped_syscalls+="${delimiter}${syscall}"
>                   }
>            done
>
>            # Group the syscall in the rule
>            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>        fi
>    fi
>    unset syscall_a
>    unset syscall_grouping
>    unset syscall_string
>    unset syscall
>    unset file_to_edit
>    unset rule_to_edit
>    unset rule_syscalls_to_edit
>    unset other_string
>    unset auid_string
>    unset full_rule
>
>    # Load macro arguments into arrays
>    read -a syscall_a &lt;&lt;&lt; $SYSCALL
>    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
>    # Create a list of audit *.rules files that should be inspected for presence and correctness
>    # of a particular audit rule. The scheme is as follows:
>    #
>    # -----------------------------------------------------------------------------------------
>    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
>    # -----------------------------------------------------------------------------------------
>    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
>    # -----------------------------------------------------------------------------------------
>    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
>    # -----------------------------------------------------------------------------------------
>    #
>    files_to_inspect=()
>
>
>
>    # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
>    # file to the list of files to be inspected
>    default_file="/etc/audit/audit.rules"
>    files_to_inspect+=('/etc/audit/audit.rules' )
>
>    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>    skip=1
>
>    for audit_file in "${files_to_inspect[@]}"
>    do
>        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>        # i.e, collect rules that match:
>        # * the action, list and arch, (2-nd argument)
>        # * the other filters, (3-rd argument)
>        # * the auid filters, (4-rd argument)
>        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>        candidate_rules=()
>        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>        for s_rule in "${similar_rules[@]}"
>        do
>            # Strip all the options and fields we know of,
>            # than check if there was any field left over
>            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>        done
>
>        if [[ ${#syscall_a[@]} -ge 1 ]]
>        then
>            # Check if the syscall we want is present in any of the similar existing rules
>            for rule in "${candidate_rules[@]}"
>            do
>                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>                all_syscalls_found=0
>                for syscall in "${syscall_a[@]}"
>                do
>                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                       # A syscall was not found in the candidate rule
>                       all_syscalls_found=1
>                       }
>                done
>                if [[ $all_syscalls_found -eq 0 ]]
>                then
>                    # We found a rule with all the syscall(s) we want; skip rest of macro
>                    skip=0
>                    break
>                fi
>
>                # Check if this rule can be grouped with our target syscall and keep track of it
>                for syscall_g in "${syscall_grouping[@]}"
>                do
>                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                    then
>                        file_to_edit=${audit_file}
>                        rule_to_edit=${rule}
>                        rule_syscalls_to_edit=${rule_syscalls}
>                    fi
>                done
>            done
>        else
>            # If there is any candidate rule, it is compliant; skip rest of macro
>            if [ "${#candidate_rules[@]}" -gt 0 ]
>            then
>                skip=0
>            fi
>        fi
>
>        if [ "$skip" -eq 0 ]; then
>            break
>        fi
>    done
>
>    if [ "$skip" -ne 0 ]; then
>        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>        # At this point we know if we need to either append the $full_rule or group
>        # the syscall together with an exsiting rule
>
>        # Append the full_rule if it cannot be grouped to any other rule
>        if [ -z ${rule_to_edit+x} ]
>        then
>            # Build full_rule while avoid adding double spaces when other_filters is empty
>            if [ "${#syscall_a[@]}" -gt 0 ]
>            then
>                syscall_string=""
>                for syscall in "${syscall_a[@]}"
>                do
>                    syscall_string+=" -S $syscall"
>                done
>            fi
>            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>            echo "$full_rule" &gt;&gt; "$default_file"
>            chmod o-rwx ${default_file}
>        else
>            # Check if the syscalls are declared as a comma separated list or
>            # as multiple -S parameters
>            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>            then
>                delimiter=","
>            else
>                delimiter=" -S "
>            fi
>            new_grouped_syscalls="${rule_syscalls_to_edit}"
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>                   # A syscall was not found in the candidate rule
>                   new_grouped_syscalls+="${delimiter}${syscall}"
>                   }
>            done
>
>            # Group the syscall in the rule
>            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>        fi
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161634976" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161634976"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83840-9
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_adjtimex
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set architecture for audit tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83840-9
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_adjtimex
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for adjtimex for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - adjtimex
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of adjtimex in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - adjtimex
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of adjtimex in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83840-9
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_adjtimex
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for adjtimex for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - adjtimex
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>
>  - name: Check existence of adjtimex in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - adjtimex
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of adjtimex in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83840-9
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_adjtimex
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161617488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161617488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit adjtimex</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit adjtimex</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit adjtimex</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit adjtimex</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="rule-detail-idm46361752087856"><div class="keywords sr-only">Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-83837-5 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Time Through clock_settime</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_clock_settime:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83837-5">CCE-83837-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following line to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
>The -k option allows for the specification of a key in string form that can
>be used for better reporting capability through ausearch and aureport.
>Multiple system calls can be defined on the same line to save space if
>desired, but is not required. See an example of multiple combined syscalls:
><pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
>nefarious activities in log files, as well as to confuse network services that
>are highly dependent upon an accurate system time (such as sshd). All changes
>to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161516576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161516576"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># First perform the remediation of the syscall rule
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>	OTHER_FILTERS="-F a0=0x0"
>	AUID_FILTERS=""
>	SYSCALL="clock_settime"
>	KEY="time-change"
>	SYSCALL_GROUPING=""
>	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161501488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161501488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83837-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_clock_settime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set architecture for audit tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83837-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_clock_settime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for clock_settime for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - clock_settime
>      syscall_grouping: []
>
>  - name: Check existence of clock_settime in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
>    set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
>        key=time-change
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - clock_settime
>      syscall_grouping: []
>
>  - name: Check existence of clock_settime in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
>        key=time-change
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83837-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_clock_settime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for clock_settime for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - clock_settime
>      syscall_grouping: []
>
>  - name: Check existence of clock_settime in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
>    set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
>        key=time-change
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - clock_settime
>      syscall_grouping: []
>
>  - name: Check existence of clock_settime in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
>        key=time-change
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83837-5
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_clock_settime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161487360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161487360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit clock_settime</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit clock_settime</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit clock_settime</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit clock_settime</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="rule-detail-idm46361752083856"><div class="keywords sr-only">Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-83836-7 </div><div class="panel-heading"><h3 class="panel-title">Record attempts to alter time through settimeofday</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_settimeofday:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83836-7">CCE-83836-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following line to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code>:
><pre>-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules</pre>
>If the system is 64 bit then also add the following line:
><pre>-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules</pre>
>The -k option allows for the specification of a key in string form that can be
>used for better reporting capability through ausearch and aureport. Multiple
>system calls can be defined on the same line to save space if desired, but is
>not required. See an example of multiple combined syscalls:
><pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
>nefarious activities in log files, as well as to confuse network services that
>are highly dependent upon an accurate system time (such as sshd). All changes
>to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161386464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161386464"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>    # Create expected audit group and audit rule form for particular system call &amp; architecture
>    if [ ${ARCH} = "b32" ]
>    then
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
>        # so append it to the list of time group system calls to be audited
>        SYSCALL="adjtimex settimeofday stime"
>        SYSCALL_GROUPING="adjtimex settimeofday stime"
>    elif [ ${ARCH} = "b64" ]
>    then
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
>        # therefore don't add it to the list of time group system calls to be audited
>        SYSCALL="adjtimex settimeofday"
>        SYSCALL_GROUPING="adjtimex settimeofday"
>    fi
>    OTHER_FILTERS=""
>    AUID_FILTERS=""
>    KEY="audit_time_rules"
>    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>    unset syscall_a
>    unset syscall_grouping
>    unset syscall_string
>    unset syscall
>    unset file_to_edit
>    unset rule_to_edit
>    unset rule_syscalls_to_edit
>    unset other_string
>    unset auid_string
>    unset full_rule
>
>    # Load macro arguments into arrays
>    read -a syscall_a &lt;&lt;&lt; $SYSCALL
>    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
>    # Create a list of audit *.rules files that should be inspected for presence and correctness
>    # of a particular audit rule. The scheme is as follows:
>    #
>    # -----------------------------------------------------------------------------------------
>    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
>    # -----------------------------------------------------------------------------------------
>    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
>    # -----------------------------------------------------------------------------------------
>    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
>    # -----------------------------------------------------------------------------------------
>    #
>    files_to_inspect=()
>
>
>    # If audit tool is 'augenrules', then check if the audit rule is defined
>    # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
>    # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>    default_file="/etc/audit/rules.d/$KEY.rules"
>    # As other_filters may include paths, lets use a different delimiter for it
>    # The "F" script expression tells sed to print the filenames where the expressions matched
>    readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
>    # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>    if [ ${#files_to_inspect[@]} -eq "0" ]
>    then
>        file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>        files_to_inspect=("$file_to_inspect")
>        if [ ! -e "$file_to_inspect" ]
>        then
>            touch "$file_to_inspect"
>            chmod 0640 "$file_to_inspect"
>        fi
>    fi
>
>    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>    skip=1
>
>    for audit_file in "${files_to_inspect[@]}"
>    do
>        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>        # i.e, collect rules that match:
>        # * the action, list and arch, (2-nd argument)
>        # * the other filters, (3-rd argument)
>        # * the auid filters, (4-rd argument)
>        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>        candidate_rules=()
>        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>        for s_rule in "${similar_rules[@]}"
>        do
>            # Strip all the options and fields we know of,
>            # than check if there was any field left over
>            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>        done
>
>        if [[ ${#syscall_a[@]} -ge 1 ]]
>        then
>            # Check if the syscall we want is present in any of the similar existing rules
>            for rule in "${candidate_rules[@]}"
>            do
>                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>                all_syscalls_found=0
>                for syscall in "${syscall_a[@]}"
>                do
>                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                       # A syscall was not found in the candidate rule
>                       all_syscalls_found=1
>                       }
>                done
>                if [[ $all_syscalls_found -eq 0 ]]
>                then
>                    # We found a rule with all the syscall(s) we want; skip rest of macro
>                    skip=0
>                    break
>                fi
>
>                # Check if this rule can be grouped with our target syscall and keep track of it
>                for syscall_g in "${syscall_grouping[@]}"
>                do
>                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                    then
>                        file_to_edit=${audit_file}
>                        rule_to_edit=${rule}
>                        rule_syscalls_to_edit=${rule_syscalls}
>                    fi
>                done
>            done
>        else
>            # If there is any candidate rule, it is compliant; skip rest of macro
>            if [ "${#candidate_rules[@]}" -gt 0 ]
>            then
>                skip=0
>            fi
>        fi
>
>        if [ "$skip" -eq 0 ]; then
>            break
>        fi
>    done
>
>    if [ "$skip" -ne 0 ]; then
>        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>        # At this point we know if we need to either append the $full_rule or group
>        # the syscall together with an exsiting rule
>
>        # Append the full_rule if it cannot be grouped to any other rule
>        if [ -z ${rule_to_edit+x} ]
>        then
>            # Build full_rule while avoid adding double spaces when other_filters is empty
>            if [ "${#syscall_a[@]}" -gt 0 ]
>            then
>                syscall_string=""
>                for syscall in "${syscall_a[@]}"
>                do
>                    syscall_string+=" -S $syscall"
>                done
>            fi
>            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>            echo "$full_rule" &gt;&gt; "$default_file"
>            chmod o-rwx ${default_file}
>        else
>            # Check if the syscalls are declared as a comma separated list or
>            # as multiple -S parameters
>            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>            then
>                delimiter=","
>            else
>                delimiter=" -S "
>            fi
>            new_grouped_syscalls="${rule_syscalls_to_edit}"
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>                   # A syscall was not found in the candidate rule
>                   new_grouped_syscalls+="${delimiter}${syscall}"
>                   }
>            done
>
>            # Group the syscall in the rule
>            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>        fi
>    fi
>    unset syscall_a
>    unset syscall_grouping
>    unset syscall_string
>    unset syscall
>    unset file_to_edit
>    unset rule_to_edit
>    unset rule_syscalls_to_edit
>    unset other_string
>    unset auid_string
>    unset full_rule
>
>    # Load macro arguments into arrays
>    read -a syscall_a &lt;&lt;&lt; $SYSCALL
>    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
>    # Create a list of audit *.rules files that should be inspected for presence and correctness
>    # of a particular audit rule. The scheme is as follows:
>    #
>    # -----------------------------------------------------------------------------------------
>    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
>    # -----------------------------------------------------------------------------------------
>    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
>    # -----------------------------------------------------------------------------------------
>    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
>    # -----------------------------------------------------------------------------------------
>    #
>    files_to_inspect=()
>
>
>
>    # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
>    # file to the list of files to be inspected
>    default_file="/etc/audit/audit.rules"
>    files_to_inspect+=('/etc/audit/audit.rules' )
>
>    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>    skip=1
>
>    for audit_file in "${files_to_inspect[@]}"
>    do
>        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>        # i.e, collect rules that match:
>        # * the action, list and arch, (2-nd argument)
>        # * the other filters, (3-rd argument)
>        # * the auid filters, (4-rd argument)
>        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>        candidate_rules=()
>        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>        for s_rule in "${similar_rules[@]}"
>        do
>            # Strip all the options and fields we know of,
>            # than check if there was any field left over
>            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>        done
>
>        if [[ ${#syscall_a[@]} -ge 1 ]]
>        then
>            # Check if the syscall we want is present in any of the similar existing rules
>            for rule in "${candidate_rules[@]}"
>            do
>                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>                all_syscalls_found=0
>                for syscall in "${syscall_a[@]}"
>                do
>                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                       # A syscall was not found in the candidate rule
>                       all_syscalls_found=1
>                       }
>                done
>                if [[ $all_syscalls_found -eq 0 ]]
>                then
>                    # We found a rule with all the syscall(s) we want; skip rest of macro
>                    skip=0
>                    break
>                fi
>
>                # Check if this rule can be grouped with our target syscall and keep track of it
>                for syscall_g in "${syscall_grouping[@]}"
>                do
>                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                    then
>                        file_to_edit=${audit_file}
>                        rule_to_edit=${rule}
>                        rule_syscalls_to_edit=${rule_syscalls}
>                    fi
>                done
>            done
>        else
>            # If there is any candidate rule, it is compliant; skip rest of macro
>            if [ "${#candidate_rules[@]}" -gt 0 ]
>            then
>                skip=0
>            fi
>        fi
>
>        if [ "$skip" -eq 0 ]; then
>            break
>        fi
>    done
>
>    if [ "$skip" -ne 0 ]; then
>        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>        # At this point we know if we need to either append the $full_rule or group
>        # the syscall together with an exsiting rule
>
>        # Append the full_rule if it cannot be grouped to any other rule
>        if [ -z ${rule_to_edit+x} ]
>        then
>            # Build full_rule while avoid adding double spaces when other_filters is empty
>            if [ "${#syscall_a[@]}" -gt 0 ]
>            then
>                syscall_string=""
>                for syscall in "${syscall_a[@]}"
>                do
>                    syscall_string+=" -S $syscall"
>                done
>            fi
>            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>            echo "$full_rule" &gt;&gt; "$default_file"
>            chmod o-rwx ${default_file}
>        else
>            # Check if the syscalls are declared as a comma separated list or
>            # as multiple -S parameters
>            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>            then
>                delimiter=","
>            else
>                delimiter=" -S "
>            fi
>            new_grouped_syscalls="${rule_syscalls_to_edit}"
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>                   # A syscall was not found in the candidate rule
>                   new_grouped_syscalls+="${delimiter}${syscall}"
>                   }
>            done
>
>            # Group the syscall in the rule
>            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>        fi
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161366832" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161366832"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83836-7
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_settimeofday
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set architecture for audit tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83836-7
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_settimeofday
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for settimeofday for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - settimeofday
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of settimeofday in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - settimeofday
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of settimeofday in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83836-7
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_settimeofday
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for settimeofday for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - settimeofday
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of settimeofday in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - settimeofday
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of settimeofday in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83836-7
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_settimeofday
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161349200" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161349200"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit settimeofday</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit settimeofday</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit settimeofday</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit settimeofday</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_stime" id="rule-detail-idm46361752079856"><div class="keywords sr-only">Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-83835-9 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Time Through stime</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_stime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_stime:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83835-9">CCE-83835-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following line to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code> for both 32 bit and 64 bit systems:
><pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
>Since the 64 bit version of the "stime" system call is not defined in the audit
>lookup table, the corresponding "-F arch=b64" form of this rule is not expected
>to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
>form itself is sufficient for both 32 bit and 64 bit systems). If the
><code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to
>read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file for both 32 bit and 64 bit systems:
><pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
>Since the 64 bit version of the "stime" system call is not defined in the audit
>lookup table, the corresponding "-F arch=b64" form of this rule is not expected
>to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
>form itself is sufficient for both 32 bit and 64 bit systems). The -k option
>allows for the specification of a key in string form that can be used for
>better reporting capability through ausearch and aureport. Multiple system
>calls can be defined on the same line to save space if desired, but is not
>required. See an example of multiple combined system calls:
><pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
>nefarious activities in log files, as well as to confuse network services that
>are highly dependent upon an accurate system time (such as sshd). All changes
>to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161248752" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161248752"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>    # Create expected audit group and audit rule form for particular system call &amp; architecture
>    if [ ${ARCH} = "b32" ]
>    then
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
>        # so append it to the list of time group system calls to be audited
>        SYSCALL="adjtimex settimeofday stime"
>        SYSCALL_GROUPING="adjtimex settimeofday stime"
>    elif [ ${ARCH} = "b64" ]
>    then
>        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>        # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
>        # therefore don't add it to the list of time group system calls to be audited
>        SYSCALL="adjtimex settimeofday"
>        SYSCALL_GROUPING="adjtimex settimeofday"
>    fi
>    OTHER_FILTERS=""
>    AUID_FILTERS=""
>    KEY="audit_time_rules"
>    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>    unset syscall_a
>    unset syscall_grouping
>    unset syscall_string
>    unset syscall
>    unset file_to_edit
>    unset rule_to_edit
>    unset rule_syscalls_to_edit
>    unset other_string
>    unset auid_string
>    unset full_rule
>
>    # Load macro arguments into arrays
>    read -a syscall_a &lt;&lt;&lt; $SYSCALL
>    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
>    # Create a list of audit *.rules files that should be inspected for presence and correctness
>    # of a particular audit rule. The scheme is as follows:
>    #
>    # -----------------------------------------------------------------------------------------
>    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
>    # -----------------------------------------------------------------------------------------
>    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
>    # -----------------------------------------------------------------------------------------
>    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
>    # -----------------------------------------------------------------------------------------
>    #
>    files_to_inspect=()
>
>
>    # If audit tool is 'augenrules', then check if the audit rule is defined
>    # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
>    # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>    default_file="/etc/audit/rules.d/$KEY.rules"
>    # As other_filters may include paths, lets use a different delimiter for it
>    # The "F" script expression tells sed to print the filenames where the expressions matched
>    readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
>    # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>    if [ ${#files_to_inspect[@]} -eq "0" ]
>    then
>        file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>        files_to_inspect=("$file_to_inspect")
>        if [ ! -e "$file_to_inspect" ]
>        then
>            touch "$file_to_inspect"
>            chmod 0640 "$file_to_inspect"
>        fi
>    fi
>
>    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>    skip=1
>
>    for audit_file in "${files_to_inspect[@]}"
>    do
>        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>        # i.e, collect rules that match:
>        # * the action, list and arch, (2-nd argument)
>        # * the other filters, (3-rd argument)
>        # * the auid filters, (4-rd argument)
>        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>        candidate_rules=()
>        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>        for s_rule in "${similar_rules[@]}"
>        do
>            # Strip all the options and fields we know of,
>            # than check if there was any field left over
>            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>        done
>
>        if [[ ${#syscall_a[@]} -ge 1 ]]
>        then
>            # Check if the syscall we want is present in any of the similar existing rules
>            for rule in "${candidate_rules[@]}"
>            do
>                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>                all_syscalls_found=0
>                for syscall in "${syscall_a[@]}"
>                do
>                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                       # A syscall was not found in the candidate rule
>                       all_syscalls_found=1
>                       }
>                done
>                if [[ $all_syscalls_found -eq 0 ]]
>                then
>                    # We found a rule with all the syscall(s) we want; skip rest of macro
>                    skip=0
>                    break
>                fi
>
>                # Check if this rule can be grouped with our target syscall and keep track of it
>                for syscall_g in "${syscall_grouping[@]}"
>                do
>                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                    then
>                        file_to_edit=${audit_file}
>                        rule_to_edit=${rule}
>                        rule_syscalls_to_edit=${rule_syscalls}
>                    fi
>                done
>            done
>        else
>            # If there is any candidate rule, it is compliant; skip rest of macro
>            if [ "${#candidate_rules[@]}" -gt 0 ]
>            then
>                skip=0
>            fi
>        fi
>
>        if [ "$skip" -eq 0 ]; then
>            break
>        fi
>    done
>
>    if [ "$skip" -ne 0 ]; then
>        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>        # At this point we know if we need to either append the $full_rule or group
>        # the syscall together with an exsiting rule
>
>        # Append the full_rule if it cannot be grouped to any other rule
>        if [ -z ${rule_to_edit+x} ]
>        then
>            # Build full_rule while avoid adding double spaces when other_filters is empty
>            if [ "${#syscall_a[@]}" -gt 0 ]
>            then
>                syscall_string=""
>                for syscall in "${syscall_a[@]}"
>                do
>                    syscall_string+=" -S $syscall"
>                done
>            fi
>            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>            echo "$full_rule" &gt;&gt; "$default_file"
>            chmod o-rwx ${default_file}
>        else
>            # Check if the syscalls are declared as a comma separated list or
>            # as multiple -S parameters
>            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>            then
>                delimiter=","
>            else
>                delimiter=" -S "
>            fi
>            new_grouped_syscalls="${rule_syscalls_to_edit}"
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>                   # A syscall was not found in the candidate rule
>                   new_grouped_syscalls+="${delimiter}${syscall}"
>                   }
>            done
>
>            # Group the syscall in the rule
>            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>        fi
>    fi
>    unset syscall_a
>    unset syscall_grouping
>    unset syscall_string
>    unset syscall
>    unset file_to_edit
>    unset rule_to_edit
>    unset rule_syscalls_to_edit
>    unset other_string
>    unset auid_string
>    unset full_rule
>
>    # Load macro arguments into arrays
>    read -a syscall_a &lt;&lt;&lt; $SYSCALL
>    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
>    # Create a list of audit *.rules files that should be inspected for presence and correctness
>    # of a particular audit rule. The scheme is as follows:
>    #
>    # -----------------------------------------------------------------------------------------
>    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
>    # -----------------------------------------------------------------------------------------
>    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
>    # -----------------------------------------------------------------------------------------
>    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
>    # -----------------------------------------------------------------------------------------
>    #
>    files_to_inspect=()
>
>
>
>    # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
>    # file to the list of files to be inspected
>    default_file="/etc/audit/audit.rules"
>    files_to_inspect+=('/etc/audit/audit.rules' )
>
>    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>    skip=1
>
>    for audit_file in "${files_to_inspect[@]}"
>    do
>        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>        # i.e, collect rules that match:
>        # * the action, list and arch, (2-nd argument)
>        # * the other filters, (3-rd argument)
>        # * the auid filters, (4-rd argument)
>        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>        candidate_rules=()
>        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>        for s_rule in "${similar_rules[@]}"
>        do
>            # Strip all the options and fields we know of,
>            # than check if there was any field left over
>            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>        done
>
>        if [[ ${#syscall_a[@]} -ge 1 ]]
>        then
>            # Check if the syscall we want is present in any of the similar existing rules
>            for rule in "${candidate_rules[@]}"
>            do
>                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>                all_syscalls_found=0
>                for syscall in "${syscall_a[@]}"
>                do
>                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                       # A syscall was not found in the candidate rule
>                       all_syscalls_found=1
>                       }
>                done
>                if [[ $all_syscalls_found -eq 0 ]]
>                then
>                    # We found a rule with all the syscall(s) we want; skip rest of macro
>                    skip=0
>                    break
>                fi
>
>                # Check if this rule can be grouped with our target syscall and keep track of it
>                for syscall_g in "${syscall_grouping[@]}"
>                do
>                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                    then
>                        file_to_edit=${audit_file}
>                        rule_to_edit=${rule}
>                        rule_syscalls_to_edit=${rule_syscalls}
>                    fi
>                done
>            done
>        else
>            # If there is any candidate rule, it is compliant; skip rest of macro
>            if [ "${#candidate_rules[@]}" -gt 0 ]
>            then
>                skip=0
>            fi
>        fi
>
>        if [ "$skip" -eq 0 ]; then
>            break
>        fi
>    done
>
>    if [ "$skip" -ne 0 ]; then
>        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>        # At this point we know if we need to either append the $full_rule or group
>        # the syscall together with an exsiting rule
>
>        # Append the full_rule if it cannot be grouped to any other rule
>        if [ -z ${rule_to_edit+x} ]
>        then
>            # Build full_rule while avoid adding double spaces when other_filters is empty
>            if [ "${#syscall_a[@]}" -gt 0 ]
>            then
>                syscall_string=""
>                for syscall in "${syscall_a[@]}"
>                do
>                    syscall_string+=" -S $syscall"
>                done
>            fi
>            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>            echo "$full_rule" &gt;&gt; "$default_file"
>            chmod o-rwx ${default_file}
>        else
>            # Check if the syscalls are declared as a comma separated list or
>            # as multiple -S parameters
>            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>            then
>                delimiter=","
>            else
>                delimiter=" -S "
>            fi
>            new_grouped_syscalls="${rule_syscalls_to_edit}"
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>                   # A syscall was not found in the candidate rule
>                   new_grouped_syscalls+="${delimiter}${syscall}"
>                   }
>            done
>
>            # Group the syscall in the rule
>            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>        fi
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161226688" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161226688"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83835-9
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_stime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Perform remediation of Audit rules for stime syscall for x86 platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - stime
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of stime in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - stime
>      syscall_grouping:
>      - adjtimex
>      - settimeofday
>      - stime
>
>  - name: Check existence of stime in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83835-9
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_stime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161213712" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161213712"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-syscall-stime.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">32 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit stime</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_stime_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_stime_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit stime</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_art_stime_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_stime_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" id="rule-detail-idm46361752075872"><div class="keywords sr-only">Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-83839-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter the localtime File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_watch_localtime:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83839-1">CCE-83839-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the default),
>add the following line to a file with suffix <code>.rules</code> in the directory
><code>/etc/audit/rules.d</code>:
><pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
>The -k option allows for the specification of a key in string form that can
>be used for better reporting capability through ausearch and aureport and
>should always be used.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
>nefarious activities in log files, as well as to confuse network services that
>are highly dependent upon an accurate system time (such as sshd). All changes
>to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161114496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161114496"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/localtime$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/localtime -p wa -k audit_time_rules" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_time_rules.rules"
>    # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/localtime$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/localtime -p wa -k audit_time_rules" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161106272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161106272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)audit_time_rules$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/audit_time_rules.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/localtime -p wa -k audit_time_rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/localtime -p wa -k audit_time_rules
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83839-1
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.4.2.b
>  - audit_rules_time_watch_localtime
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161098192" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161098192"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/localtime watch augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_artw_etc_localtime_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_artw_etc_localtime_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/localtime watch auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_artw_etc_localtime_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_artw_etc_localtime_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" id="rule-detail-idm46361752504752"><div class="keywords sr-only">Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-83706-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Network Environment</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_networkconfig_modification:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83706-2">CCE-83706-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.5</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as
>appropriate for your system:
><pre>-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
>-w /etc/issue -p wa -k audit_rules_networkconfig_modification
>-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
>-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
>-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as
>appropriate for your system:
><pre>-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
>-w /etc/issue -p wa -k audit_rules_networkconfig_modification
>-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
>-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
>-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The network environment should not be modified by anything other
>than administrator action. Any change to network parameters should be
>audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175993728" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175993728"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># First perform the remediation of the syscall rule
># Retrieve hardware architecture of the underlying system
>[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
>
>for ARCH in "${RULE_ARCHS[@]}"
>do
>	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
>	OTHER_FILTERS=""
>	AUID_FILTERS=""
>	SYSCALL="sethostname setdomainname"
>	KEY="audit_rules_networkconfig_modification"
>	SYSCALL_GROUPING="sethostname setdomainname"
>	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
># If audit tool is 'augenrules', then check if the audit rule is defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
># If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
>default_file="/etc/audit/rules.d/$KEY.rules"
># As other_filters may include paths, lets use a different delimiter for it
># The "F" script expression tells sed to print the filenames where the expressions matched
>readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
># Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
>if [ ${#files_to_inspect[@]} -eq "0" ]
>then
>    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
>    files_to_inspect=("$file_to_inspect")
>    if [ ! -e "$file_to_inspect" ]
>    then
>        touch "$file_to_inspect"
>        chmod 0640 "$file_to_inspect"
>    fi
>fi
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>	unset syscall_a
>unset syscall_grouping
>unset syscall_string
>unset syscall
>unset file_to_edit
>unset rule_to_edit
>unset rule_syscalls_to_edit
>unset other_string
>unset auid_string
>unset full_rule
>
># Load macro arguments into arrays
>read -a syscall_a &lt;&lt;&lt; $SYSCALL
>read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
>#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
># -----------------------------------------------------------------------------------------
>#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
># -----------------------------------------------------------------------------------------
>#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
>#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>#
>files_to_inspect=()
>
>
>
># If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># file to the list of files to be inspected
>default_file="/etc/audit/audit.rules"
>files_to_inspect+=('/etc/audit/audit.rules' )
>
># After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
>skip=1
>
>for audit_file in "${files_to_inspect[@]}"
>do
>    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
>    # i.e, collect rules that match:
>    # * the action, list and arch, (2-nd argument)
>    # * the other filters, (3-rd argument)
>    # * the auid filters, (4-rd argument)
>    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")
>
>    candidate_rules=()
>    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
>    for s_rule in "${similar_rules[@]}"
>    do
>        # Strip all the options and fields we know of,
>        # than check if there was any field left over
>        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
>        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
>    done
>
>    if [[ ${#syscall_a[@]} -ge 1 ]]
>    then
>        # Check if the syscall we want is present in any of the similar existing rules
>        for rule in "${candidate_rules[@]}"
>        do
>            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
>            all_syscalls_found=0
>            for syscall in "${syscall_a[@]}"
>            do
>                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
>                   # A syscall was not found in the candidate rule
>                   all_syscalls_found=1
>                   }
>            done
>            if [[ $all_syscalls_found -eq 0 ]]
>            then
>                # We found a rule with all the syscall(s) we want; skip rest of macro
>                skip=0
>                break
>            fi
>
>            # Check if this rule can be grouped with our target syscall and keep track of it
>            for syscall_g in "${syscall_grouping[@]}"
>            do
>                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
>                then
>                    file_to_edit=${audit_file}
>                    rule_to_edit=${rule}
>                    rule_syscalls_to_edit=${rule_syscalls}
>                fi
>            done
>        done
>    else
>        # If there is any candidate rule, it is compliant; skip rest of macro
>        if [ "${#candidate_rules[@]}" -gt 0 ]
>        then
>            skip=0
>        fi
>    fi
>
>    if [ "$skip" -eq 0 ]; then
>        break
>    fi
>done
>
>if [ "$skip" -ne 0 ]; then
>    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
>    # At this point we know if we need to either append the $full_rule or group
>    # the syscall together with an exsiting rule
>
>    # Append the full_rule if it cannot be grouped to any other rule
>    if [ -z ${rule_to_edit+x} ]
>    then
>        # Build full_rule while avoid adding double spaces when other_filters is empty
>        if [ "${#syscall_a[@]}" -gt 0 ]
>        then
>            syscall_string=""
>            for syscall in "${syscall_a[@]}"
>            do
>                syscall_string+=" -S $syscall"
>            done
>        fi
>        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
>        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
>        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
>        echo "$full_rule" &gt;&gt; "$default_file"
>        chmod o-rwx ${default_file}
>    else
>        # Check if the syscalls are declared as a comma separated list or
>        # as multiple -S parameters
>        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
>        then
>            delimiter=","
>        else
>            delimiter=" -S "
>        fi
>        new_grouped_syscalls="${rule_syscalls_to_edit}"
>        for syscall in "${syscall_a[@]}"
>        do
>            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
>               # A syscall was not found in the candidate rule
>               new_grouped_syscalls+="${delimiter}${syscall}"
>               }
>        done
>
>        # Group the syscall in the rule
>        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
>    fi
>fi
>done
>
># Then perform the remediations for the watch rules
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/issue$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
>    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/issue$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
>    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/hosts$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
>    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/hosts$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
>    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175927120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175927120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set architecture for audit tasks
>  set_fact:
>    audit_arch: b64
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
>    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Remediate audit rules for network configuration for 32bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - sethostname
>      - setdomainname
>      syscall_grouping:
>      - sethostname
>      - setdomainname
>
>  - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - sethostname
>      - setdomainname
>      syscall_grouping:
>      - sethostname
>      - setdomainname
>
>  - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Remediate audit rules for network configuration for 64bit platform
>  block:
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - sethostname
>      - setdomainname
>      syscall_grouping:
>      - sethostname
>      - setdomainname
>
>  - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
>    find:
>      paths: /etc/audit/rules.d
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: '*.rules'
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Reset syscalls found per file
>    set_fact:
>      syscalls_per_file: {}
>      found_paths_dict: {}
>
>  - name: Declare syscalls found per file
>    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
>      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
>    loop: '{{ find_command.results | selectattr(''matched'') | list }}'
>
>  - name: Declare files where syscalls were found
>    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
>      | map(attribute='path') | list }}"
>
>  - name: Count occurrences of syscalls in paths
>    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
>      0) }) }}"
>    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
>      | list }}'
>
>  - name: Get path with most syscalls
>    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
>      | last).key }}"
>    when: found_paths | length &gt;= 1
>
>  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
>    set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
>    when: found_paths | length == 0
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
>        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>
>  - name: Declare list of syscalls
>    set_fact:
>      syscalls:
>      - sethostname
>      - setdomainname
>      syscall_grouping:
>      - sethostname
>      - setdomainname
>
>  - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
>    find:
>      paths: /etc/audit
>      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
>        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
>      patterns: audit.rules
>    register: find_command
>    loop: '{{ (syscall_grouping + syscalls) | unique }}'
>
>  - name: Set path to /etc/audit/audit.rules
>    set_fact: audit_file="/etc/audit/audit.rules"
>
>  - name: Declare found syscalls
>    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
>      | list }}"
>
>  - name: Declare missing syscalls
>    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"
>
>  - name: Replace the audit rule in {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
>        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
>      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
>      backrefs: true
>      state: present
>    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0
>
>  - name: Add the audit rule to {{ audit_file }}
>    lineinfile:
>      path: '{{ audit_file }}'
>      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
>      create: true
>      mode: o-rwx
>      state: present
>    when: syscalls_found | length == 0
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - audit_arch == "b64"
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
>    recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/issue in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/issue in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
>    recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
>    recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
>    recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83706-2
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.5
>  - audit_rules_networkconfig_modification
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_issue_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue.net augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/hosts augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_hosts_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_hosts_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/sysconfig/network augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_issue_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue.net auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/hosts auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_hosts_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_hosts_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/sysconfig/network auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit sethostname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit setdomainname</span>Â 
>        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_session_events" id="rule-detail-idm46361752500736"><div class="keywords sr-only">Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-83713-8 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Process and Session Initiation Information</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_session_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_session_events:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83713-8">CCE-83713-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.11</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects process information for all
>users and root. If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
>edits of files involved in storing such process information:
><pre>-w /var/run/utmp -p wa -k session
>-w /var/log/btmp -p wa -k session
>-w /var/log/wtmp -p wa -k session</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file in order to watch for attempted manual
>edits of files involved in storing such process information:
><pre>-w /var/run/utmp -p wa -k session
>-w /var/log/btmp -p wa -k session
>-w /var/log/wtmp -p wa -k session</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
>as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175791424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175791424"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/run/utmp -p wa -k session" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/session.rules"
>    # If the session.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/run/utmp -p wa -k session" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/btmp -p wa -k session" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/session.rules"
>    # If the session.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/btmp -p wa -k session" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/wtmp -p wa -k session" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/session.rules"
>    # If the session.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /var/log/wtmp -p wa -k session" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175769888" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175769888"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key session
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)session$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/session.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /var/run/utmp -p wa -k session
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /var/run/utmp -p wa -k session
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key session
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)session$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/session.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /var/log/btmp -p wa -k session
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /var/log/btmp -p wa -k session
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key session
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)session$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/session.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /var/log/wtmp -p wa -k session
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
>
>- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /var/log/wtmp -p wa -k session
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83713-8
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.3
>  - audit_rules_session_events
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - reboot_required
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175748528" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175748528"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>
>
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-audit-session-events.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules utmp</span>Â 
>        <span class="label label-default">oval:ssg-test_arse_utmp_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_utmp_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules btmp</span>Â 
>        <span class="label label-default">oval:ssg-test_arse_btmp_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_btmp_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules wtmp</span>Â 
>        <span class="label label-default">oval:ssg-test_arse_wtmp_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_wtmp_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl utmp</span>Â 
>        <span class="label label-default">oval:ssg-test_arse_utmp_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_utmp_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl btmp</span>Â 
>        <span class="label label-default">oval:ssg-test_arse_btmp_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_btmp_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl wtmp</span>Â 
>        <span class="label label-default">oval:ssg-test_arse_wtmp_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_wtmp_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-detail-idm46361752488656"><div class="keywords sr-only">Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-83729-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects System Administrator Actions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_sysadmin_actions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83729-4">CCE-83729-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1.5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5.b</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</a>, <a href="">SRG-OS-000462-VMM-001840</a>, <a href="">SRG-OS-000471-VMM-001910</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect administrator actions
>for all users and root. If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the default),
>add the following line to a file with suffix <code>.rules</code> in the directory
><code>/etc/audit/rules.d</code>:
><pre>-w /etc/sudoers -p wa -k actions
>-w /etc/sudoers.d/ -p wa -k actions</pre>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following line to
><code>/etc/audit/audit.rules</code> file:
><pre>-w /etc/sudoers -p wa -k actions
>-w /etc/sudoers.d/ -p wa -k actions</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The actions taken by system administrators should be audited to keep a record
>of what was executed on the system, as well as, for accountability purposes.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175443472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175443472"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/sudoers -p wa -k actions" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/actions.rules"
>    # If the actions.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/sudoers -p wa -k actions" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/sudoers.d/ -p wa -k actions" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/actions.rules"
>    # If the actions.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/sudoers.d/ -p wa -k actions" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175423344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175423344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key actions
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)actions$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/actions.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/sudoers -p wa -k actions
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/sudoers -p wa -k actions
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
>    patterns: '*.rules'
>  register: find_existing_watch_rules_d
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Search /etc/audit/rules.d for other rules with specified key actions
>  find:
>    paths: /etc/audit/rules.d
>    contains: ^.*(?:-F key=|-k\s+)actions$
>    patterns: '*.rules'
>  register: find_watch_key
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
>  set_fact:
>    all_files:
>    - /etc/audit/rules.d/actions.rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Use matched file as the recipient for the rule
>  set_fact:
>    all_files:
>    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
>    is defined and find_existing_watch_rules_d.matched == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/
>  lineinfile:
>    path: '{{ all_files[0] }}'
>    line: -w /etc/sudoers.d/ -p wa -k actions
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
>    == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
>  find:
>    paths: /etc/audit/
>    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
>    patterns: audit.rules
>  register: find_existing_watch_audit_rules
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules
>  lineinfile:
>    line: -w /etc/sudoers.d/ -p wa -k actions
>    state: present
>    dest: /etc/audit/audit.rules
>    create: true
>    mode: '0640'
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
>    == 0
>  tags:
>  - CCE-83729-4
>  - CJIS-5.4.1.1
>  - NIST-800-171-3.1.7
>  - NIST-800-53-AC-2(7)(b)
>  - NIST-800-53-AC-6(9)
>  - NIST-800-53-AU-12(c)
>  - NIST-800-53-AU-2(d)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.2.1.5
>  - PCI-DSS-Req-10.2.2
>  - PCI-DSS-Req-10.2.5.b
>  - audit_rules_sysadmin_actions
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175400208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175400208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }}
>        mode: 0600
>        path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl sudoers</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" id="rule-detail-idm46361752481952"><div class="keywords sr-only">Record Events that Modify User/Group Informationxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification mediumCCE-83715-3 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_usergroup_modification:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83715-3">CCE-83715-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000018</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001403</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002130</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00090</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
><code>augenrules</code> program to read audit rules during daemon startup (the
>default), add the following lines to a file with suffix <code>.rules</code> in the
>directory <code>/etc/audit/rules.d</code>, in order to capture events that modify
>account changes:
><pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
>-w /etc/passwd -p wa -k audit_rules_usergroup_modification
>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
>-w /etc/shadow -p wa -k audit_rules_usergroup_modification
>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre>
><br>
>If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
>utility to read audit rules during daemon startup, add the following lines to
><code>/etc/audit/audit.rules</code> file, in order to capture events that modify
>account changes:
><pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
>-w /etc/passwd -p wa -k audit_rules_usergroup_modification
>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
>-w /etc/shadow -p wa -k audit_rules_usergroup_modification
>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">In addition to auditing new user and group accounts, these watches
>will alert the system administrator(s) to any modifications. Any unexpected
>users, groups, or modifications should be investigated for legitimacy.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule checks for multiple syscalls related to account changes;
>it was written with DISA STIG in mind. Other policies should use a
>separate rule for each syscall that needs to be checked. For example:
><ul><li><code>audit_rules_usergroup_modification_group</code></li><li><code>audit_rules_usergroup_modification_gshadow</code></li><li><code>audit_rules_usergroup_modification_passwd</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175204416" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175204416"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
># Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/group$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/group" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
>    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/group$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/passwd$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
>    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/passwd$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
>    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/shadow$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
>    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/shadow$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
>
># If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
># into the list of files to be inspected
>files_to_inspect+=('/etc/audit/audit.rules')
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
># Create a list of audit *.rules files that should be inspected for presence and correctness
># of a particular audit rule. The scheme is as follows:
>#
># -----------------------------------------------------------------------------------------
># Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
># -----------------------------------------------------------------------------------------
>#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
># -----------------------------------------------------------------------------------------
># 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
># 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
># -----------------------------------------------------------------------------------------
>files_to_inspect=()
>
># If the audit is 'augenrules', then check if rule is already defined
># If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
># If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
>readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules)
>
># For each of the matched entries
>for match in "${matches[@]}"
>do
>    # Extract filepath from the match
>    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
>    # Append that path into list of files for inspection
>    files_to_inspect+=("$rulesd_audit_file")
>done
># Case when particular audit rule isn't defined yet
>if [ "${#files_to_inspect[@]}" -eq "0" ]
>then
>    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
>    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
>    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
>    if [ ! -e "$key_rule_file" ]
>    then
>        touch "$key_rule_file"
>        chmod 0640 "$key_rule_file"
>    fi
>    files_to_inspect+=("$key_rule_file")
>fi
>
># Finally perform the inspection and possible subsequent audit rule
># correction for each of the files previously identified for inspection
>for audit_rules_file in "${files_to_inspect[@]}"
>do
>    # Check if audit watch file system object rule for given path already present
>    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
>    then
>        # Rule is found =&gt; verify yet if existing rule definition contains
>        # all of the required access type bits
>
>        # Define BRE whitespace class shortcut
>        sp="[[:space:]]"
>        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
>        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+$[rxwa]\{1,4\}$.*#\1#p" "$audit_rules_file")
>        # Split required access bits string into characters array
>        # (to check bit's presence for one bit at a time)
>        for access_bit in $(echo "wa" | grep -o .)
>        do
>            # For each from the required access bits (e.g. 'w', 'a') check
>            # if they are already present in current access bits for rule.
>            # If not, append that bit at the end
>            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
>            then
>                # Concatenate the existing mask with the missing bit
>                current_access_bits="$current_access_bits$access_bit"
>            fi
>        done
>        # Propagate the updated rule's access bits (original + the required
>        # ones) back into the /etc/audit/audit.rules file for that rule
>        sed -i "s#$$sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+$$[rxwa]\{1,4\}$$.*$#\1$current_access_bits\3#" "$audit_rules_file"
>    else
>        # Rule isn't present yet. Append it at the end of $audit_rules_file file
>        # with proper key
>
>        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
>    fi
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/group</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_group_augen:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_group_augen:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/passwd</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_augen:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_augen:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/gshadow</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_augen:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_augen:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/shadow</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_augen:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_augen:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/security/opasswd</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_augen:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_augen:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/group</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_group_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_group_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/passwd</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/gshadow</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/shadow</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/security/opasswd</span>Â 
>        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-detail-idm46361752036624"><div class="keywords sr-only">Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-83685-8 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd flush priority</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_flush</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_data_retention_flush:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83685-8">CCE-83685-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001576</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>auditd</code> service can be configured to
>synchronously write audit event data to disk. Add or correct the following
>line in <code>/etc/audit/auditd.conf</code> to ensure that audit event data is
>fully synchronized with the log files on the disk:
><pre>flush = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_flush">incremental_async</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Audit data should be synchronously written to disk to ensure
>log integrity. These parameters assure that all audit event data is fully
>synchronized with the log files on the disk.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">test the value of flush parameter in /etc/audit/auditd.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_data_retention_flush:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>flush = INCREMENTAL_ASYNC</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_freq" id="rule-detail-idm46361752012816"><div class="keywords sr-only">Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-83704-7 </div><div class="panel-heading"><h3 class="panel-title">Set number of records to cause an explicit flush to audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_freq</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_freq:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83704-7">CCE-83704-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to issue an explicit flush to disk command
>after writing <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_freq">50</abbr> records, set <code>freq</code> to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_freq">50</abbr></code>
>in <code>/etc/audit/auditd.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>freq</code> isn't set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_freq">50</abbr></code>, the flush to disk
>may happen after higher number of records, increasing the danger
>of audit loss.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of freq setting in the /etc/audit/auditd.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_freq:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>freq = 50</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_local_events" id="rule-detail-idm46361752008848"><div class="keywords sr-only">Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-83682-5 </div><div class="panel-heading"><h3 class="panel-title">Include Local Events in Audit Logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_local_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_local_events:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83682-5">CCE-83682-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to include local events in Audit logs, set
><code>local_events</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>.
>This is the default setting.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>local_events</code> isn't set to <code>yes</code> only events from
>network will be aggregated.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of local_events setting in the /etc/audit/auditd.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_local_events:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>local_events = yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_log_format" id="rule-detail-idm46361752004880"><div class="keywords sr-only">Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format lowCCE-83696-5 </div><div class="panel-heading"><h3 class="panel-title">Resolve information before writing to audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_log_format</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_log_format:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83696-5">CCE-83696-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to resolve all uid, gid, syscall,
>architecture, and socket address information before writing the
>events to disk, set <code>log_format</code> to <code>ENRICHED</code>
>in <code>/etc/audit/auditd.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>log_format</code> isn't set to <code>ENRICHED</code>, the
>audit records will be stored in a format exactly as the kernel sends them.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of log_format setting in the /etc/audit/auditd.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_log_format:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>log_format = ENRICHED</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_name_format" id="rule-detail-idm46361752000912"><div class="keywords sr-only">Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-83686-6 </div><div class="panel-heading"><h3 class="panel-title">Set hostname as computer node name in audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_name_format</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_name_format:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83686-6">CCE-83686-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to use value returned by gethostname
>syscall as computer node name in the audit events,
>set <code>name_format</code> to <code>hostname</code>
>in <code>/etc/audit/auditd.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>name_format</code> is left at its default value of
><code>none</code>, audit events from different computers may be hard
>to distinguish.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159598848" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362159598848"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then
>
>if [ -e "/etc/audit/auditd.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf"
>else
>    touch "/etc/audit/auditd.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/audit/auditd.conf"
>
>cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
># Insert at the end of the file
>printf '%s\n' "name_format = hostname" &gt;&gt; "/etc/audit/auditd.conf"
># Clean up after ourselves.
>rm "/etc/audit/auditd.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159595760" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159595760"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
>  package_facts:
>    manager: auto
>  tags:
>  - CCE-83686-6
>  - NIST-800-53-AU-3
>  - NIST-800-53-CM-6
>  - auditd_name_format
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Set hostname as computer node name in audit logs
>  block:
>
>  - name: Check for duplicate values
>    lineinfile:
>      path: /etc/audit/auditd.conf
>      create: false
>      regexp: (?i)^\s*name_format\s*=\s*
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: dupes
>
>  - name: Deduplicate values from /etc/audit/auditd.conf
>    lineinfile:
>      path: /etc/audit/auditd.conf
>      create: false
>      regexp: (?i)^\s*name_format\s*=\s*
>      state: absent
>    when: dupes.found is defined and dupes.found &gt; 1
>
>  - name: Insert correct line to /etc/audit/auditd.conf
>    lineinfile:
>      path: /etc/audit/auditd.conf
>      create: true
>      regexp: (?i)^\s*name_format\s*=\s*
>      line: name_format = hostname
>      state: present
>  when:
>  - '"audit" in ansible_facts.packages'
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83686-6
>  - NIST-800-53-AU-3
>  - NIST-800-53-CM-6
>  - auditd_name_format
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159592176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159592176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
>        mode: 0640
>        path: /etc/audit/auditd.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of name_format setting in the /etc/audit/auditd.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_name_format:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>name_format = NONE</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_write_logs" id="rule-detail-idm46361751994240"><div class="keywords sr-only">Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-83705-4 </div><div class="panel-heading"><h3 class="panel-title">Write Audit Logs to the Disk</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_write_logs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_write_logs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83705-4">CCE-83705-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_STG.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to write Audit logs to the disk, set
><code>write_logs</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>.
>This is the default setting.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If <code>write_logs</code> isn't set to <code>yes</code>, the Audit logs will
>not be written to the disk.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of write_logs setting in the /etc/audit/auditd.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_write_logs:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>write_logs = yes</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of write_logs setting in the /etc/audit/auditd.conf file</span>Â 
>        <span class="label label-default">oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>write_logs = </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_access_failed" id="rule-detail-idm46361751990272"><div class="keywords sr-only">Configure auditing of unsuccessful file accessesxccdf_org.ssgproject.content_rule_audit_access_failed mediumCCE-83672-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditing of unsuccessful file accesses</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_access_failed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_access_failed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83672-6">CCE-83672-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that unsuccessful attempts to access a file are audited.
>
>The following rules configure audit as described above:
><pre>## Unsuccessful file access (any other opens) This has to go last.
>-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access    </pre>
>
>Load new Audit rules into kernel by running:
><pre>augenrules --load</pre>
>
>Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159524896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362159524896"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) &amp;&amp; ! ( grep -q ppc64le /proc/sys/kernel/osrelease ) ); }; then
>
>cat &lt;&lt; 'EOF' &gt; /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
>## Unsuccessful file access (any other opens) This has to go last.
>-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>EOF
>
>chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
>
>augenrules --load
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159521648" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159521648"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according
>    to policy
>  copy:
>    dest: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
>    content: |
>      ## Unsuccessful file access (any other opens) This has to go last.
>      -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>      -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>      -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>      -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
>    force: true
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
>    "ppc64le" ) )
>  tags:
>  - CCE-83672-6
>  - NIST-800-53-AU-2(a)
>  - audit_access_failed
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Remove any permissions from other group
>  file:
>    path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
>    mode: o-rwx
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
>    "ppc64le" ) )
>  tags:
>  - CCE-83672-6
>  - NIST-800-53-AU-2(a)
>  - audit_access_failed
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159514320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159514320"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access
>        mode: 0600
>        path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules is exactly what is defined in rule description</span>Â 
>        <span class="label label-default">oval:ssg-audit_access_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-audit_access_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules</td><td>^.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_access_success" id="rule-detail-idm46361751980896"><div class="keywords sr-only">Configure auditing of successful file accessesxccdf_org.ssgproject.content_rule_audit_access_success mediumCCE-83653-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditing of successful file accesses</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_access_success</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_access_success:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83653-6">CCE-83653-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that successful attempts to access a file are audited.
>
>The following rules configure audit as described above:
><pre>## Successful file access (any other opens) This has to go last.
>## These next two are likely to result in a whole lot of events
>-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
>-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access    </pre>
>
>Load new Audit rules into kernel by running:
><pre>augenrules --load</pre>
>
>Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Auditing of successful attempts to access a file helps in investigation of activities performed on the system.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159433904" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362159433904"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) &amp;&amp; ! ( grep -q ppc64le /proc/sys/kernel/osrelease ) ); }; then
>
>cat &lt;&lt; 'EOF' &gt; /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
>## Successful file access (any other opens) This has to go last.
>## These next two are likely to result in a whole lot of events
>-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
>-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
>EOF
>
>chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
>
>augenrules --load
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159430544" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159430544"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules according
>    to policy
>  copy:
>    dest: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
>    content: |
>      ## Successful file access (any other opens) This has to go last.
>      ## These next two are likely to result in a whole lot of events
>      -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
>      -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
>    force: true
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
>    "ppc64le" ) )
>  tags:
>  - CCE-83653-6
>  - NIST-800-53-AU-2(a)
>  - audit_access_success
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>
>- name: Remove any permissions from other group
>  file:
>    path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
>    mode: o-rwx
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
>    "ppc64le" ) )
>  tags:
>  - CCE-83653-6
>  - NIST-800-53-AU-2(a)
>  - audit_access_success
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159424960" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159424960"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access
>        mode: 0600
>        path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-success.rules is exactly what is defined in rule description</span>Â 
>        <span class="label label-default">oval:ssg-audit_access_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-audit_access_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>/etc/audit/rules.d/30-ospp-v42-3-access-success.rules</td><td>^.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-detail-idm46361751554064"><div class="keywords sr-only">Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-83994-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure cron Is Logging To Rsyslog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_cron_logging</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_cron_logging:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83994-4">CCE-83994-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Cron logging must be implemented to spot intrusions or trace
>cron job status. If <code>cron</code> is not logging to <code>rsyslog</code>, it
>can be implemented by adding the following to the <i>RULES</i> section of
><code>/etc/rsyslog.conf</code>:
><pre>cron.*                                                  /var/log/cron</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Cron logging can be used to trace the successful or unsuccessful execution
>of cron jobs. It can also be used to spot intrusions into the use of the cron
>facility by unauthorized and malicious users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">cron is configured in /etc/rsyslog.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_cron_logging_rsyslog:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>cron.*                                                  /var/log/cron
>
># Everybody gets emergency messages</td></tr></tbody></table><h4><span class="label label-primary">cron is configured in /etc/rsyslog.d</span>Â 
>        <span class="label label-default">oval:ssg-test_cron_logging_rsyslog_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_cron_logging_rsyslog_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.d</td><td>^.*$</td><td>^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-detail-idm46361751541920"><div class="keywords sr-only">Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership mediumCCE-83834-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_groupownership:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83834-2">CCE-83834-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The group-owner of all log files written by
><code>rsyslog</code> should be
>
><code>root</code>.
>
>These log files are determined by the second part of each Rule line in
><code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
>For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
>run the following command to inspect the file's group owner:
><pre>$ ls -l <i>LOGFILE</i></pre>
>If the owner is not
>
><code>root</code>,
>
>run the following command to
>correct this:
>
><pre>$ sudo chgrp root <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system
>configuration, user authentication, and other such information. Log files should be
>protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files have appropriate groupowner set</span>Â 
>        <span class="label label-default">oval:ssg-test_rsyslog_files_groupownership:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>1714</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cloud-init.log</td><td>regular</td><td>0</td><td>0</td><td>328087</td><td><code>rw-r--r--Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>18273</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>438556</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-detail-idm46361751537920"><div class="keywords sr-only">Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership mediumCCE-83946-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_ownership:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83946-4">CCE-83946-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The owner of all log files written by
><code>rsyslog</code> should be
>
><code>root</code>.
>
>These log files are determined by the second part of each Rule line in
><code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
>For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
>run the following command to inspect the file's owner:
><pre>$ ls -l <i>LOGFILE</i></pre>
>If the owner is not
>
><code>root</code>,
>
>run the following command to
>correct this:
>
><pre>$ sudo chown root <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system
>configuration, user authentication, and other such information. Log files should be
>protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files have appropriate owner set</span>Â 
>        <span class="label label-default">oval:ssg-test_rsyslog_files_ownership:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>1714</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cloud-init.log</td><td>regular</td><td>0</td><td>0</td><td>328087</td><td><code>rw-r--r--Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>18273</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>438556</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-detail-idm46361751533936"><div class="keywords sr-only">Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-83689-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure System Log Files Have Correct Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_permissions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83689-0">CCE-83689-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The file permissions for all log files written by <code>rsyslog</code> should
>be set to 600, or more restrictive. These log files are determined by the
>second part of each Rule line in <code>/etc/rsyslog.conf</code> and typically
>all appear in <code>/var/log</code>. For each log file <i>LOGFILE</i>
>referenced in <code>/etc/rsyslog.conf</code>, run the following command to
>inspect the file's permissions:
><pre>$ ls -l <i>LOGFILE</i></pre>
>If the permissions are not 600 or more restrictive, run the following
>command to correct this:
><pre>$ sudo chmod 600 <i>LOGFILE</i></pre>"</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Log files can contain valuable information regarding system
>configuration. If the system log files are not protected unauthorized
>users could change the logged data, eliminating their forensic value.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155750080" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155750080"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># List of log file paths to be inspected for correct permissions
># * Primarily inspect log file paths listed in /etc/rsyslog.conf
>RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
># * And also the log file paths listed after rsyslog's $IncludeConfig directive
>#   (store the result into array for the case there's shell glob used as value of IncludeConfig)
>readarray -t OLD_INC &lt; &lt;(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
>readarray -t RSYSLOG_INCLUDE_CONFIG &lt; &lt;(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
>readarray -t NEW_INC &lt; &lt;(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
>readarray -t RSYSLOG_INCLUDE &lt; &lt;(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
>
># Declare an array to hold the final list of different log file paths
>declare -a LOG_FILE_PATHS
>
># Array to hold all rsyslog config entries
>RSYSLOG_CONFIGS=()
>RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
>
># Get full list of files to be checked
># RSYSLOG_CONFIGS may contain globs such as
># /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
># So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
>RSYSLOG_CONFIG_FILES=()
>for ENTRY in "${RSYSLOG_CONFIGS[@]}"
>do
>	# If directory, rsyslog will search for config files in recursively.
>	# However, files in hidden sub-directories or hidden files will be ignored.
>	if [ -d "${ENTRY}" ]
>	then
>		readarray -t FINDOUT &lt; &lt;(find "${ENTRY}" -not -path '*/.*' -type f)
>		RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
>	elif [ -f "${ENTRY}" ]
>	then
>		RSYSLOG_CONFIG_FILES+=("${ENTRY}")
>	else
>		echo "Invalid include object: ${ENTRY}"
>	fi
>done
>
># Browse each file selected above as containing paths of log files
># ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
>for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
>do
>	# From each of these files extract just particular log file path(s), thus:
>	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
>	# * Ignore empty lines,
>	# * Strip quotes and closing brackets from paths.
>	# * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files
>	# * From the remaining valid rows select only fields constituting a log file path
>	# Text file column is understood to represent a log file path if and only if all of the
>	# following are met:
>	# * it contains at least one slash '/' character,
>	# * it is preceded by space
>	# * it doesn't contain space (' '), colon (':'), and semicolon (';') characters
>	# Search log file for path(s) only in case it exists!
>	if [[ -f "${LOG_FILE}" ]]
>	then
>		NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
>		LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' &lt;&lt;&lt; "${NORMALIZED_CONFIG_FILE_LINES}")
>		FILTERED_PATHS=$(awk '{if(NF&gt;=2&amp;&amp;($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' &lt;&lt;&lt; "${LINES_WITH_PATHS}")
>		CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" &lt;&lt;&lt; "${FILTERED_PATHS}")
>		MATCHED_ITEMS=$(sed -e "/^$/d" &lt;&lt;&lt; "${CLEANED_PATHS}")
>		# Since above sed command might return more than one item (delimited by newline), split
>		# the particular matches entries into new array specific for this log file
>		readarray -t ARRAY_FOR_LOG_FILE &lt;&lt;&lt; "$MATCHED_ITEMS"
>		# Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with
>		# items from newly created array for this log file
>		LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}")
>		# Delete the temporary array
>		unset ARRAY_FOR_LOG_FILE
>	fi
>done
>
># Check for RainerScript action log format which might be also multiline so grep regex is a bit
># curly:
># extract possibly multiline action omfile expressions
># extract File="logfile" expression
># match only "logfile" expression
>for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
>do
>	ACTION_OMFILE_LINES=$(grep -ozP "action\s*$\s*type\s*=\s*\"omfile\"[^$]*\)" "${LOG_FILE}")
>	OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
>	LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")")
>done
>
># Ensure the correct attribute if file exists
>FILE_CMD="chmod"
>for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}"
>do
>	# Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing
>	if [ -z "$LOG_FILE_PATH" ]
>	then
>		continue
>	fi
>	$FILE_CMD "0600" "$LOG_FILE_PATH"
>done
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155739024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155739024"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration
>    facts
>  ansible.builtin.set_fact:
>    rsyslog_etc_config: /etc/rsyslog.conf
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive
>  ansible.builtin.shell: |
>    set -o pipefail
>    grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
>  register: rsyslog_old_inc
>  changed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - Get include files directives
>  ansible.builtin.shell: |
>    set -o pipefail
>    awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true
>  register: rsyslog_new_inc
>  changed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes
>  ansible.builtin.set_fact:
>    include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines
>      }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - List all config files
>  ansible.builtin.find:
>    paths: '{{ include_config_output | list | map(''dirname'') }}'
>    patterns: '{{ include_config_output | list | map(''basename'') }}'
>    hidden: false
>    follow: true
>  register: rsyslog_config_files
>  failed_when: false
>  changed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - Extract log files old format
>  ansible.builtin.shell: |
>    set -o pipefail
>    grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }}  |awk '{print $NF}'|sed -e 's/^-//' || true
>  loop: '{{ rsyslog_config_files.files|map(attribute=''path'')|list|flatten|unique
>    + [ rsyslog_etc_config ] }}'
>  register: log_files_old
>  changed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - Extract log files new format
>  ansible.builtin.shell: |
>    set -o pipefail
>    grep -ozP "action\s*$\s*type\s*=\s*\"omfile\"[^$]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true
>  loop: '{{ rsyslog_config_files.files|map(attribute=''path'')|list|flatten|unique
>    + [ rsyslog_etc_config ] }}'
>  register: log_files_new
>  changed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions - Sum all log files found
>  ansible.builtin.set_fact:
>    log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique
>      + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique  }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
>
>- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute
>  ansible.builtin.file:
>    path: '{{ item }}'
>    mode: 384
>    state: file
>  loop: '{{ log_files | list | flatten | unique }}'
>  failed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83689-0
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-10.5.1
>  - PCI-DSS-Req-10.5.2
>  - configure_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_files_permissions
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files have appropriate permissions set</span>Â 
>        <span class="label label-default">oval:ssg-test_rsyslog_files_permissions:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>1714</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cloud-init.log</td><td>regular</td><td>0</td><td>0</td><td>328087</td><td><code>rw-r--r--Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>18273</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>438556</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-detail-idm46361751503424"><div class="keywords sr-only">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten mediumCCE-83995-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_nolisten</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_nolisten:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83995-1">CCE-83995-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.7</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsyslog</code> daemon should not accept remote messages
>unless the system acts as a log server.
>To ensure that it is not listening on the network, ensure the following lines are
><i>not</i> found in <code>/etc/rsyslog.conf</code>:
><pre>$ModLoad imtcp
>$InputTCPServerRun <i>port</i>
>$ModLoad imudp
>$UDPServerRun <i>port</i>
>$ModLoad imrelp
>$InputRELPServerRun <i>port</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any process which receives messages from the network incurs some risk
>of receiving malicious messages. This risk can be eliminated for
>rsyslog by configuring it not to listen on the network.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp</span>Â 
>        <span class="label label-default">oval:ssg-test_rsyslog_nolisten:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_rsyslog_nolisten:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idm46361751499456"><div class="keywords sr-only">Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-83990-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_loghost:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83990-2">CCE-83990-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R7)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R43)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001348</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000136</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="">SRG-OS-000032-VMM-000130</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure rsyslog to send logs to a remote log server,
>open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file,
>which describes the multiple directives necessary to activate remote
>logging.
>Along with these other directives, the system can be configured
>to forward its logs to a particular log server by
>adding or correcting one of the following lines,
>substituting <code><i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></code> appropriately.
>The choice of protocol depends on the environment of the system;
>although TCP and RELP provide more reliable message delivery,
>they may not be supported in all environments.
><br>
>To use UDP for log message delivery:
><pre>*.* @<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre>
><br>
>To use TCP for log message delivery:
><pre>*.* @@<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre>
><br>
>To use RELP for log message delivery:
><pre>*.* :omrelp:<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre>
><br>
>There must be a resolvable DNS CNAME or Alias record set to "<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>" for logs to be sent correctly to the centralized logging utility.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">A log server (loghost) receives syslog messages from one or more
>systems. This data can be used as an additional log source in the event a
>system is compromised and its local logs are suspect. Forwarding log messages
>to a remote loghost also provides system administrators with a centralized
>place to view the status of multiple hosts within the enterprise.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                It is important to configure queues in case the client is sending log
>messages to a remote server. If queues are not configured,
>the system will stop functioning when the connection
>to the remote server is not available. Please consult Rsyslog
>documentation for more information about configuration of queues. The
>example configuration which should go into <code>/etc/rsyslog.conf</code>
>can look like the following lines:
><pre>
>$ActionQueueType LinkedList
>$ActionQueueFileName queuefilename
>$ActionQueueMaxDiskSpace 1g
>$ActionQueueSaveOnShutdown on
>$ActionResumeRetryCount -1
></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155248272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155248272"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>rsyslog_remote_loghost_address='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>'
>
>
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/rsyslog.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^\*\.\*")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s %s" "$stripped_key" "@@$rsyslog_remote_loghost_address"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^\*\.\*\\&gt;" "/etc/rsyslog.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^\*\.\*\\&gt;.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83990-2"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/rsyslog.conf" &gt;&gt; "/etc/rsyslog.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/rsyslog.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155244496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155244496"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
>  set_fact:
>    rsyslog_remote_loghost_address: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>
>  tags:
>    - always
>
>- name: Set rsyslog remote loghost
>  lineinfile:
>    dest: /etc/rsyslog.conf
>    regexp: ^\*\.\*
>    line: '*.* @@{{ rsyslog_remote_loghost_address }}'
>    create: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83990-2
>  - NIST-800-53-AU-4(1)
>  - NIST-800-53-AU-9(2)
>  - NIST-800-53-CM-6(a)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - rsyslog_remote_loghost
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â 
>        <span class="label label-default">oval:ssg-test_remote_rsyslog_conf:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_remote_loghost_rsyslog_conf:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>^\*\.\*[\s]+(?:@|\:omrelp\:)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â 
>        <span class="label label-default">oval:ssg-test_remote_rsyslog_d:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_remote_loghost_rsyslog_d:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.d</td><td>^.+\.conf$</td><td>^\*\.\*[\s]+(?:@|\:omrelp\:)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" id="rule-detail-idm46361751495472"><div class="keywords sr-only">Configure TLS for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls mediumCCE-83991-0 </div><div class="panel-heading"><h3 class="panel-title">Configure TLS for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83991-0">CCE-83991-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_X509_EXT.1.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure <code>rsyslog</code> to use Transport Layer
>Security (TLS) support for logging to remote server
>for the Forwarding Output Module in <code>/etc/rsyslog.conf</code>
>using action. You can use the following command:
><pre>echo 'action(type="omfwd" protocol="tcp" Target="&lt;remote system&gt;" port="6514"
>    StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' &gt;&gt; /etc/rsyslog.conf
></pre>
>Replace the <code>&lt;remote system&gt;</code> in the above command with an IP address or a host name of the remote logging server.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">For protection of data being logged, the connection to the
>remote logging server needs to be authenticated and encrypted.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155224224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155224224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>rsyslog_remote_loghost_address='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>'
>
>params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
>values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on")
>params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
>values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on")
>
>files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*$\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)")
>if [ -n "${files_containing_omfwd[*]}" ]; then
>    for file in "${files_containing_omfwd[@]}"; do
>        for ((i=0; i&lt;${#params_to_replace_if_wrong_value[@]}; i++)); do
>            sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*$)|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file"
>        done
>        for ((i=0; i&lt;${#params_to_add_if_missing[@]}; i++)); do
>            if ! grep -qPzi "(?s)\s*action\s*$\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?$.*" "$file"; then
>                sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file"
>            fi
>        done
>    done
>else
>    echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")"  &gt;&gt; /etc/rsyslog.conf
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155217120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155217120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
>  set_fact:
>    rsyslog_remote_loghost_address: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>
>  tags:
>    - always
>
>- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
>    in rsyslog include files'
>  ansible.builtin.find:
>    paths: /etc/rsyslog.d/
>    pattern: '*.conf'
>    contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
>  register: rsyslog_includes_with_directive
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
>    in rsyslog main config file'
>  ansible.builtin.find:
>    paths: /etc
>    pattern: rsyslog.conf
>    contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
>  register: rsyslog_main_file_with_directive
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
>    to be inserted if entirely missing'
>  ansible.builtin.set_fact:
>    rsyslog_parameters_to_add_if_missing:
>    - protocol
>    - target
>    - port
>    - StreamDriver
>    - StreamDriverMode
>    - StreamDriverAuthMode
>    - streamdriver.CheckExtendedKeyPurpose
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
>    be inserted if entirely missing'
>  ansible.builtin.set_fact:
>    rsyslog_values_to_add_if_missing:
>    - tcp
>    - '{{ rsyslog_remote_loghost_address }}'
>    - '6514'
>    - gtls
>    - '1'
>    - x509/name
>    - 'on'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
>    to be replaced if defined with wrong values'
>  ansible.builtin.set_fact:
>    rsyslog_parameters_to_replace_if_wrong_value:
>    - protocol
>    - StreamDriver
>    - StreamDriverMode
>    - StreamDriverAuthMode
>    - streamdriver.CheckExtendedKeyPurpose
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
>    be replaced when having wrong value'
>  ansible.builtin.set_fact:
>    rsyslog_values_to_replace_if_wrong_value:
>    - tcp
>    - gtls
>    - '1'
>    - x509/name
>    - 'on'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: assemble list of files with existing
>    directives'
>  ansible.builtin.set_fact:
>    rsyslog_files: '{{ rsyslog_includes_with_directive.files | map(attribute=''path'')
>      | list + rsyslog_main_file_with_directive.files | map(attribute=''path'') |
>      list }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: try to fix existing directives'
>  block:
>
>  - name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
>      by adjusting the value'
>    ansible.builtin.replace:
>      path: '{{ item[0] }}'
>      regexp: (?i)^(\s*action\s*$\s*type\s*=\s*"omfwd"[\s\S]*)({{ item[1][0] | regex_escape()
>        }}\s*=\s*"\S*")([\s\S]*$)$
>      replace: \1{{ item[1][0] }}="{{ item[1][1] }}"\3
>    loop: '{{ rsyslog_files | product (rsyslog_parameters_to_replace_if_wrong_value
>      | zip(rsyslog_values_to_replace_if_wrong_value)) | list }}'
>
>  - name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
>      by adding parameter and value'
>    ansible.builtin.replace:
>      path: '{{ item[0] }}'
>      regexp: (?i)^(\s*action\s*$\s*type\s*=\s*"omfwd"(?:[\s\S](?!{{ item[1][0] |
>        regex_escape() }}))*.)($)$
>      replace: \1 {{ item[1][0] }}="{{ item[1][1] }}" \2
>    loop: '{{ rsyslog_files | product (rsyslog_parameters_to_add_if_missing | zip(rsyslog_values_to_add_if_missing))
>      | list }}'
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - rsyslog_includes_with_directive.matched or rsyslog_main_file_with_directive.matched
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
>
>- name: 'Configure TLS for rsyslog remote logging: Add missing rsyslog directive'
>  ansible.builtin.lineinfile:
>    dest: /etc/rsyslog.conf
>    line: action(type="omfwd" protocol="tcp" Target="{{ rsyslog_remote_loghost_address
>      }}" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name"
>      streamdriver.CheckExtendedKeyPurpose="on")
>    create: true
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - not rsyslog_includes_with_directive.matched and not rsyslog_main_file_with_directive.matched
>  tags:
>  - CCE-83991-0
>  - NIST-800-53-AU-9(3)
>  - NIST-800-53-CM-6(a)
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - rsyslog_remote_tls
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the omfwd action configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_rsyslog_remote_tls:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*action$(?i)type(?-i)="omfwd"(.+?)$</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" id="rule-detail-idm46361751491504"><div class="keywords sr-only">Configure CA certificate for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert mediumCCE-83992-8 </div><div class="panel-heading"><h3 class="panel-title">Configure CA certificate for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls_cacert:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83992-8">CCE-83992-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure CA certificate for <code>rsyslog</code> logging
>to remote server using Transport Layer Security (TLS)
>using correct path for the <code>DefaultNetstreamDriverCAFile</code>
>global option in <code>/etc/rsyslog.conf</code>, for example with the following command:
><pre>echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' &gt;&gt; /etc/rsyslog.conf</pre>
>Replace the <code>/etc/pki/tls/cert.pem</code> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The CA certificate needs to be set or <code>rsyslog.service</code>
>fails to start with
><pre>error: ca certificate is not set, cannot continue</pre></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the DefaultNetstreamDriverCAFile configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_rsyslog_remote_tls_cacert:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls_cacert:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*global$DefaultNetstreamDriverCAFile="(.+?)"$\s*\n</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-detail-idm46361751562048"><div class="keywords sr-only">Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-84063-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84063-7">CCE-84063-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo dnf install rsyslog</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
>system logging services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_rsyslog_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>113.el9_2</td><td>8.2102.0</td><td>0:8.2102.0-113.el9_2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.2102.0-113.el9_2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-detail-idm46361751558048"><div class="keywords sr-only">Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-83989-4 </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_rsyslog_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83989-4">CCE-83989-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 9.
>
>The <code>rsyslog</code> service can be enabled with the following command:
><pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
>logging services, which are essential to system administration.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>113.el9_2</td><td>8.2102.0</td><td>0:8.2102.0-113.el9_2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.2102.0-113.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the rsyslog service is running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_running_rsyslog:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>rsyslog.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_firewalld_installed" id="rule-detail-idm46361751474128"><div class="keywords sr-only">Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-84021-5 </div><div class="panel-heading"><h3 class="panel-title">Install firewalld Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_firewalld_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_firewalld_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84021-5">CCE-84021-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000298-GPOS-00116</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00232</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>firewalld</code> package can be installed with the following command:
><pre>
>$ sudo dnf install firewalld</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
>
>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
>
>Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
>
>Red Hat Enterprise Linux 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
>Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155011424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155011424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>if ! rpm -q --quiet "firewalld" ; then
>    dnf install -y "firewalld"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155008704" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155008704"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
>  package:
>    name: firewalld
>    state: present
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-84021-5
>  - NIST-800-53-CM-6(a)
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - package_firewalld_installed
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155006336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155006336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
>
>class install_firewalld {
>  package { 'firewalld':
>    ensure =&gt; 'installed',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155004160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155004160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
>package --add=firewalld
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155002144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155002144"><pre><code>
>[[packages]]
>name = "firewalld"
>version = "*"
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package firewalld is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_firewalld_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_firewalld_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>firewalld</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-detail-idm46361751470128"><div class="keywords sr-only">Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-90833-5 </div><div class="panel-heading"><h3 class="panel-title">Verify firewalld Enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_firewalld_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_firewalld_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90833-5">CCE-90833-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00231</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00232</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.4.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>firewalld</code> service can be enabled with the following command:
><pre>$ sudo systemctl enable firewalld.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Access control methods provide the ability to enhance system security posture
>by restricting services and known good IP addresses and address ranges. This
>prevents connections from unknown hosts and protocols.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154966784" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362154966784"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>SYSTEMCTL_EXEC='/usr/bin/systemctl'
>"$SYSTEMCTL_EXEC" unmask 'firewalld.service'
>"$SYSTEMCTL_EXEC" start 'firewalld.service'
>"$SYSTEMCTL_EXEC" enable 'firewalld.service'
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154964048" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362154964048"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
>  block:
>
>  - name: Gather the package facts
>    package_facts:
>      manager: auto
>
>  - name: Enable service firewalld
>    service:
>      name: firewalld
>      enabled: 'yes'
>      state: started
>      masked: 'no'
>    when:
>    - '"firewalld" in ansible_facts.packages'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90833-5
>  - NIST-800-171-3.1.3
>  - NIST-800-171-3.4.7
>  - NIST-800-53-AC-4
>  - NIST-800-53-CA-3(5)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-SC-7(21)
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - service_firewalld_enabled
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154961328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362154961328"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
>
>class enable_firewalld {
>  service {'firewalld':
>    enable =&gt; true,
>    ensure =&gt; 'running',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154959152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362154959152"><pre><code>
>[customizations.services]
>enabled = ["firewalld"]
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package firewalld is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_firewalld_package_firewalld_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>firewalld</td></tr></tbody></table><h4><span class="label label-primary">Test that the firewalld service is running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_running_firewalld:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of firewalld">oval:ssg-obj_service_running_firewalld:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^firewalld\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_firewalld:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_firewalld_socket:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-detail-idm46361751466128"><div class="keywords sr-only">Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports mediumCCE-86041-1 </div><div class="panel-heading"><h3 class="panel-title">Configure the Firewalld Ports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_firewalld_ports</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-86041-1">CCE-86041-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1416</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</a>, <a href="">SRG-OS-000096-VMM-000490</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.4.2.5</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure the <code>firewalld</code> ports to allow approved services to have access to the system.
>To configure <code>firewalld</code> to open ports, run the following command:
><pre>firewall-cmd --permanent --add-port=<i>port_number/tcp</i></pre>
>To configure <code>firewalld</code> to allow access for pre-defined services, run the following
>command:
><pre>firewall-cmd --permanent --add-service=<i>service_name</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">In order to prevent unauthorized connection of devices, unauthorized transfer of information,
>or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
>disable or restrict unused or unnecessary physical and logical ports/protocols on information
>systems.
><br><br>
>Operating systems are capable of providing a wide variety of functions and services.
>Some of the functions and services provided by default may not be necessary to support
>essential organizational operations.
>Additionally, it is sometimes convenient to provide multiple services from a single component
>(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by
>one component.
><br><br>
>To support the requirements and principles of least functionality, the operating system must
>support the organizational requirements, providing only essential capabilities and limiting the
>use of ports, protocols, and/or services to only those required, authorized, and approved to
>conduct official business.</div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â 
>                                <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" id="rule-detail-idm46361751460080"><div class="keywords sr-only">Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-84023-1 </div><div class="panel-heading"><h3 class="panel-title">Set Default firewalld Zone for Incoming Packets</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_firewalld_default_zone</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-set_firewalld_default_zone:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84023-1">CCE-84023-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1416</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.4.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the default zone to <code>drop</code> for
>the built-in default zone which processes incoming IPv4 and IPv6 packets,
>modify the following line in
><code>/etc/firewalld/firewalld.conf</code> to be:
><pre>DefaultZone=drop</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">In <code>firewalld</code> the default zone is applied only after all
>the applicable rules in the table are examined for a match. Setting the
>default zone to <code>drop</code> implements proper design for a firewall, i.e.
>any packets which are not explicitly permitted should not be
>accepted.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                To prevent denying any access to the system, automatic remediation
>of this control is not available. Remediation must be automated as
>a component of machine provisioning, or followed manually as outlined
>above.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check /etc/firewalld/firewalld.conf DefaultZone for drop</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_input_drop:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_firewalld_input_drop:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/firewalld/firewalld.conf</td><td>^DefaultZone=drop$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-detail-idm46361751265264"><div class="keywords sr-only">Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-84066-0 </div><div class="panel-heading"><h3 class="panel-title">Deactivate Wireless Network Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_wireless_disable_interfaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84066-0">CCE-84066-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000085</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002418</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002421</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001443</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001444</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1315</a>, <a href="">1319</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000299-GPOS-00117</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000300-GPOS-00118</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000424-GPOS-00188</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000481-GPOS-000481</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">Deactivating wireless network interfaces should prevent normal usage of the wireless
>capability.
><br><br>
>
>Configure the system to disable all wireless network interfaces with the following command:
><pre>$ sudo nmcli radio all off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The use of wireless networking can introduce many different attack vectors into
>the organization's network. Common attack vectors such as malicious association
>and ad hoc networks will allow an attacker to spoof a wireless access point
>(AP), allowing validated systems to connect to the malicious AP and enabling the
>attacker to monitor and record network traffic. These malicious APs can also
>serve to create a man-in-the-middle attack or be used to create a denial of
>service to valid network resources.</div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_network_nmcli_permissions" id="rule-detail-idm46361751484800"><div class="keywords sr-only">Prevent non-Privileged Users from Modifying Network Interfaces using nmclixccdf_org.ssgproject.content_rule_network_nmcli_permissions mediumCCE-90061-3 </div><div class="panel-heading"><h3 class="panel-title">Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_nmcli_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-network_nmcli_permissions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90061-3">CCE-90061-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, non-privileged users are given permissions to modify networking
>interfaces and configurations using the <code>nmcli</code> command. Non-privileged
>users should not be making configuration changes to network configurations. To
>ensure that non-privileged users do not have permissions to make changes to the
>network configuration using <code>nmcli</code>, create the following configuration in
><code>/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla</code>:
><pre>
>[Disable General User Access to NetworkManager]
>Identity=default
>Action=org.freedesktop.NetworkManager.*
>ResultAny=no
>ResultInactive=no
>ResultActive=auth_admin
></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing non-privileged users to make changes to network settings can allow
>untrusted access, prevent system availability, and/or can lead to a compromise or
>attack.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155146464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155146464"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if rpm --quiet -q polkit; then
>
>printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" &gt; /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">polkit is properly configured to prevent non-privilged users from changing networking settings</span>Â 
>        <span class="label label-default">oval:ssg-test_network_nmcli_permissions:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_network_nmcli_permissions:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/polkit-1/localauthority/20-org.d/.*$</td><td>^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-detail-idm46361751480800"><div class="keywords sr-only">Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-83996-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure System is Not Acting as a Network Sniffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_sniffer_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-network_sniffer_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83996-9">CCE-83996-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO11.06</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.10</a>, <a href="https://www.isaca.org/resources/cobit">BAI09.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI09.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI09.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.8</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.6</a>, <a href="https://www.iso.org/standard/54534.html">A.8.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The system should not be acting as a network sniffer, which can
>capture all traffic on the network to which it is connected. Run the following
>to determine if any interface is running in promiscuous mode:
><pre>$ ip link | grep PROMISC</pre>
>Promiscuous mode of an interface can be disabled with the following command:
><pre>$ sudo ip link set dev <code>device_name</code> multicast off promisc off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Network interfaces in promiscuous mode allow for the capture of all network traffic
>visible to the system. If unauthorized individuals can access these applications, it
>may allow them to collect information such as logon IDs, passwords, and key exchanges
>between systems.
><br><br>
>If the system is being used to perform a network troubleshooting function, the use of these
>tools must be documented with the Information Systems Security Manager (ISSM) and restricted
>to only authorized personnel.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check all network interfaces for PROMISC flag</span>Â 
>        <span class="label label-default">oval:ssg-test_promisc_interfaces:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_promisc_interfaces:obj:1</abbr></strong> of type
>                <strong>interface_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Filter</th></tr></thead><tbody><tr><td>^.*$</td><td>oval:ssg-state_promisc:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" id="rule-detail-idm46361751112512"><div class="keywords sr-only">Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-83908-4 </div><div class="panel-heading"><h3 class="panel-title">Verify that System Executables Have Root Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_ownership_binary_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:06+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83908-4">CCE-83908-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System executables are stored in the following directories by default:
><pre>/bin
>/sbin
>/usr/bin
>/usr/libexec
>/usr/local/bin
>/usr/local/sbin
>/usr/sbin</pre>
>All files in these directories should be owned by the <code>root</code> user.
>If any file <i>FILE</i> in these directories is found
>to be owned by a user other than root, correct its ownership with the
>following command:
><pre>$ sudo chown root <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">System binaries are executed by privileged users as well as system services,
>and restrictive permissions are necessary to ensure that their
>execution of these programs cannot be co-opted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">binary directories uid root</span>Â 
>        <span class="label label-default">oval:ssg-test_ownership_binary_directories:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="binary directories">oval:ssg-object_file_ownership_binary_directories:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</td><td>no value</td><td>oval:ssg-state_owner_binaries_not_root:ste:1</td></tr></tbody></table><h4><span class="label label-primary">binary files uid root</span>Â 
>        <span class="label label-default">oval:ssg-test_ownership_binary_files:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="binary files">oval:ssg-object_file_ownership_binary_files:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</td><td>^.*$</td><td>oval:ssg-state_owner_binaries_not_root:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" id="rule-detail-idm46361751108512"><div class="keywords sr-only">Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-83907-6 </div><div class="panel-heading"><h3 class="panel-title">Verify that Shared Library Files Have Root Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_library_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_ownership_library_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:08+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83907-6">CCE-83907-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System-wide shared library files, which are linked to executables
>during process load time or run time, are stored in the following directories
>by default:
><pre>/lib
>/lib64
>/usr/lib
>/usr/lib64
></pre>
>Kernel modules, which can be added to the kernel during runtime, are also
>stored in <code>/lib/modules</code>. All files in these directories should be
>owned by the <code>root</code> user. If the directory, or any file in these
>directories, is found to be owned by a user other than root correct its
>ownership with the following command:
><pre>$ sudo chown root <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Files from shared library directories are loaded into the address
>space of processes (including privileged ones) or of the kernel itself at
>runtime. Proper ownership is necessary to protect the integrity of the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing user ownership of /lib/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_0:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib/">oval:ssg-object_file_ownership_library_dirs_0:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing user ownership of /lib64/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_1:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib64/">oval:ssg-object_file_ownership_library_dirs_1:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib64</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing user ownership of /usr/lib/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_2:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib/">oval:ssg-object_file_ownership_library_dirs_2:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing user ownership of /usr/lib64/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_3:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib64/">oval:ssg-object_file_ownership_library_dirs_3:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib64</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" id="rule-detail-idm46361751101808"><div class="keywords sr-only">Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-83911-8 </div><div class="panel-heading"><h3 class="panel-title">Verify that System Executables Have Restrictive Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_binary_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:08+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83911-8">CCE-83911-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System executables are stored in the following directories by default:
><pre>/bin
>/sbin
>/usr/bin
>/usr/libexec
>/usr/local/bin
>/usr/local/sbin
>/usr/sbin</pre>
>All files in these directories should not be group-writable or world-writable.
>If any file <i>FILE</i> in these directories is found
>to be group-writable or world-writable, correct its permission with the
>following command:
><pre>$ sudo chmod go-w <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">System binaries are executed by privileged users, as well as system services,
>and restrictive permissions are necessary to ensure execution of these programs
>cannot be co-opted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">binary files go-w</span>Â 
>        <span class="label label-default">oval:ssg-test_perms_binary_files:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="binary files">oval:ssg-object_file_permissions_binary_files:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</td><td>^.*$</td><td>oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1</td><td>oval:ssg-state_perms_binary_files_symlink:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" id="rule-detail-idm46361751097808"><div class="keywords sr-only">Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-83909-2 </div><div class="panel-heading"><h3 class="panel-title">Verify that Shared Library Files Have Restrictive Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_library_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_library_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83909-2">CCE-83909-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System-wide shared library files, which are linked to executables
>during process load time or run time, are stored in the following directories
>by default:
><pre>/lib
>/lib64
>/usr/lib
>/usr/lib64
></pre>
>Kernel modules, which can be added to the kernel during runtime, are
>stored in <code>/lib/modules</code>. All files in these directories
>should not be group-writable or world-writable. If any file in these
>directories is found to be group-writable or world-writable, correct
>its permission with the following command:
><pre>$ sudo chmod go-w <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Files from shared library directories are loaded into the address
>space of processes (including privileged ones) or of the kernel itself at
>runtime. Restrictive permissions are necessary to protect the integrity of the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /lib/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_0:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib/">oval:ssg-object_file_permissions_library_dirs_0:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing mode of /lib64/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_1:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib64/">oval:ssg-object_file_permissions_library_dirs_1:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib64</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing mode of /usr/lib/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_2:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib/">oval:ssg-object_file_permissions_library_dirs_2:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing mode of /usr/lib64/</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_3:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib64/">oval:ssg-object_file_permissions_library_dirs_3:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib64</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-detail-idm46361751259856"><div class="keywords sr-only">Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-83895-3 </div><div class="panel-heading"><h3 class="panel-title">Verify that All World-Writable Directories Have Sticky Bits Set</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dir_perms_world_writable_sticky_bits:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83895-3">CCE-83895-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.12</a></p></td></tr><tr><td>Description</td><td><div class="description">When the so-called 'sticky bit' is set on a directory,
>only the owner of a given file may remove that file from the
>directory. Without the sticky bit, any user with write access to a
>directory may remove any file in the directory. Setting the sticky
>bit prevents users from removing each other's files. In cases where
>there is no reason for a directory to be world-writable, a better
>solution is to remove that permission rather than to set the sticky
>bit. However, if a directory is used by a particular application,
>consult that application's documentation instead of blindly
>changing modes.
><br>
>To set the sticky bit on a world-writable directory <i>DIR</i>, run the
>following command:
><pre>$ sudo chmod +t <i>DIR</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Failing to set the sticky bit on public directories allows unauthorized
>users to delete files in the directory structure.
><br><br>
>The only authorized public directories are those temporary directories
>supplied with the system, or those designed to be temporary file
>repositories. The setting is normally reserved for directories used by the
>system, by users for temporary file storage (such as <code>/tmp</code>), and
>for directories requiring global read/write access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">all local world-writable directories have sticky bit set</span>Â 
>        <span class="label label-default">oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="only local directories">oval:ssg-object_only_local_directories:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>no value</td><td>oval:ssg-state_world_writable_and_not_sticky:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-detail-idm46361751248384"><div class="keywords sr-only">Ensure All SGID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid mediumCCE-83901-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SGID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_sgid:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:00+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83901-9">CCE-83901-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.14</a></p></td></tr><tr><td>Description</td><td><div class="description">The SGID (set group id) bit should be set only on files that were
>installed via authorized means. A straightforward means of identifying
>unauthorized SGID files is determine if any were not installed as part of an
>RPM package, which is cryptographically verified. Investigate the origin
>of any unpackaged SGID files.
>This configuration check considers authorized SGID files which were installed via RPM.
>It is assumed that when an individual has sudo access to install an RPM
>and all packages are signed with an organizationally-recognized GPG key,
>the software should be considered an approved package on the system.
>Any SGID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SGID permission run with the privileges of
>the owner of the file. SGID files of uncertain provenance could allow for
>unprivileged users to elevate privileges. The presence of these files should be
>strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">sgid files outside system RPMs</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_sgid:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with sgid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_sgid_unowned:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-detail-idm46361751244384"><div class="keywords sr-only">Ensure All SUID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid mediumCCE-83897-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SUID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_suid:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:04+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83897-9">CCE-83897-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.13</a></p></td></tr><tr><td>Description</td><td><div class="description">The SUID (set user id) bit should be set only on files that were
>installed via authorized means. A straightforward means of identifying
>unauthorized SUID files is determine if any were not installed as part of an
>RPM package, which is cryptographically verified. Investigate the origin
>of any unpackaged SUID files.
>This configuration check considers authorized SUID files which were installed via RPM.
>It is assumed that when an individual has sudo access to install an RPM
>and all packages are signed with an organizationally-recognized GPG key,
>the software should be considered an approved package on the system.
>Any SUID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SUID permission run with the privileges of
>the owner of the file. SUID files of uncertain provenance could allow for
>unprivileged users to elevate privileges. The presence of these files should be
>strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">suid files outside system RPMs</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_suid:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with suid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_suid_unowned:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-detail-idm46361751240384"><div class="keywords sr-only">Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-83902-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure No World-Writable Files Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_world_writable:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:05+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83902-7">CCE-83902-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.9</a></p></td></tr><tr><td>Description</td><td><div class="description">It is generally a good idea to remove global (other) write
>access to a file when it is discovered. However, check with
>documentation for specific applications before making changes.
>Also, monitor for recurring world-writable files, as these may be
>symptoms of a misconfigured application or user account. Finally,
>this applies to real files and not virtual files that are a part of
>pseudo file systems such as <code>sysfs</code> or <code>procfs</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Data in world-writable files can be modified by any
>user on the system. In almost all circumstances, files can be
>configured using a combination of user and group permissions to
>support whatever legitimate access is needed without the risk
>caused by world-writable files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">world writable files</span>Â 
>        <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_world_write:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="world writable">oval:ssg-object_file_permissions_unauthorized_world_write:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_world_write:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-detail-idm46361751054384"><div class="keywords sr-only">Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-83881-3 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_nodev:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83881-3">CCE-83881-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.8.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nodev</code> mount option can be used to prevent creation of device
>files in <code>/dev/shm</code>. Legitimate character and block devices should
>not exist within temporary directories like <code>/dev/shm</code>.
>Add the <code>nodev</code> option to the fourth column of
><code>/etc/fstab</code> for the line which controls mounting of
><code>/dev/shm</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The only legitimate location for device files is the <code>/dev</code> directory
>located on the root partition. The only exception to this is chroot jails.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /dev/shm optional no</span>Â 
>        <span class="label label-default">oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table><h4><span class="label label-primary">/dev/shm exists</span>Â 
>        <span class="label label-default">oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" id="rule-detail-idm46361751050384"><div class="keywords sr-only">Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-83857-3 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_noexec:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83857-3">CCE-83857-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.8.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries
>from being executed out of <code>/dev/shm</code>.
>It can be dangerous to allow the execution of binaries
>from world-writable temporary storage directories such as <code>/dev/shm</code>.
>Add the <code>noexec</code> option to the fourth column of
><code>/etc/fstab</code> for the line which controls mounting of
><code>/dev/shm</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from world-writable directories
>such as <code>/dev/shm</code> can expose the system to potential compromise.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362147408912" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362147408912"><table class="table table-striped table-bordered table-condensed"><tr><th>Reboot:</th><td>false</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>function perform_remediation {
>    
>
>
>    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"
>
>    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
>    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
>        # runtime opts without some automatic kernel/userspace-added defaults
>        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
>                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
>        [ "$previous_mount_opts" ] &amp;&amp; previous_mount_opts+=","
>        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" &gt;&gt; /etc/fstab
>    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
>    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
>        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
>        sed -i "s|$${mount_point_match_regexp}.*${previous_mount_opts}$|\1,noexec|" /etc/fstab
>    fi
>
>
>    if mkdir -p "/dev/shm"; then
>        if mountpoint -q "/dev/shm"; then
>            mount -o remount --target "/dev/shm"
>        else
>            mount --target "/dev/shm"
>        fi
>    fi
>}
>
>perform_remediation
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362147406128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362147406128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
>  command: findmnt  '/dev/shm'
>  register: device_name
>  failed_when: device_name.rc &gt; 1
>  changed_when: false
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83857-3
>  - NIST-800-53-AC-6
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-MP-7
>  - configure_strategy
>  - high_disruption
>  - low_complexity
>  - medium_severity
>  - mount_option_dev_shm_noexec
>  - no_reboot_needed
>
>- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
>  set_fact:
>    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
>  with_together:
>  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
>  - '{{ device_name.stdout_lines[1].split() | list }}'
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - device_name.stdout is defined and device_name.stdout_lines is defined
>  - (device_name.stdout | length &gt; 0)
>  tags:
>  - CCE-83857-3
>  - NIST-800-53-AC-6
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-MP-7
>  - configure_strategy
>  - high_disruption
>  - low_complexity
>  - medium_severity
>  - mount_option_dev_shm_noexec
>  - no_reboot_needed
>
>- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
>    manually'
>  set_fact:
>    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
>  with_together:
>  - - target
>    - source
>    - fstype
>    - options
>  - - /dev/shm
>    - tmpfs
>    - tmpfs
>    - defaults
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ("" | length == 0)
>  - (device_name.stdout | length == 0)
>  tags:
>  - CCE-83857-3
>  - NIST-800-53-AC-6
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-MP-7
>  - configure_strategy
>  - high_disruption
>  - low_complexity
>  - medium_severity
>  - mount_option_dev_shm_noexec
>  - no_reboot_needed
>
>- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
>    /dev/shm options'
>  set_fact:
>    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
>      }) }}'
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - mount_info is defined and "noexec" not in mount_info.options
>  tags:
>  - CCE-83857-3
>  - NIST-800-53-AC-6
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-MP-7
>  - configure_strategy
>  - high_disruption
>  - low_complexity
>  - medium_severity
>  - mount_option_dev_shm_noexec
>  - no_reboot_needed
>
>- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
>  mount:
>    path: /dev/shm
>    src: '{{ mount_info.source }}'
>    opts: '{{ mount_info.options }}'
>    state: mounted
>    fstype: '{{ mount_info.fstype }}'
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - (device_name.stdout is defined and (device_name.stdout | length &gt; 0)) or ("" |
>    length == 0)
>  tags:
>  - CCE-83857-3
>  - NIST-800-53-AC-6
>  - NIST-800-53-AC-6(1)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-MP-7
>  - configure_strategy
>  - high_disruption
>  - low_complexity
>  - medium_severity
>  - mount_option_dev_shm_noexec
>  - no_reboot_needed
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /dev/shm optional no</span>Â 
>        <span class="label label-default">oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table><h4><span class="label label-primary">/dev/shm exists</span>Â 
>        <span class="label label-default">oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-detail-idm46361751046384"><div class="keywords sr-only">Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-83891-2 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_nosuid:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83891-2">CCE-83891-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.8.4</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution
>of setuid programs in <code>/dev/shm</code>.  The SUID and SGID permissions should not
>be required in these world-writable directories.
>Add the <code>nosuid</code> option to the fourth column of
><code>/etc/fstab</code> for the line which controls mounting of
><code>/dev/shm</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users
>should not be able to execute SUID or SGID binaries from temporary storage partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /dev/shm optional no</span>Â 
>        <span class="label label-default">oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table><h4><span class="label label-primary">/dev/shm exists</span>Â 
>        <span class="label label-default">oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-detail-idm46361750895808"><div class="keywords sr-only">Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-83970-4 </div><div class="panel-heading"><h3 class="panel-title">Enable ExecShield via sysctl</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_exec_shield:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83970-4">CCE-83970-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002530</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a></p></td></tr><tr><td>Description</td><td><div class="description">By default on Red Hat Enterprise Linux 9 64-bit systems, ExecShield is
>enabled and can only be disabled if the hardware does not support
>ExecShield or is disabled in <code>/etc/default/grub</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">ExecShield uses the segmentation feature on all x86 systems to prevent
>execution in memory higher than a certain address. It writes an address as
>a limit in the code segment descriptor, to control where code can be
>executed, on a per-process basis. When the kernel places a process's memory
>regions such as the stack and heap higher than this address, the hardware
>prevents execution in that address range. This is enabled by default on the
>latest Red Hat and Fedora systems if supported by the hardware.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
>        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
>                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
>        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">NX is disabled</span>Â 
>        <span class="label label-default">oval:ssg-test_nx_disabled_grub:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nx_disabled_grub:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>[\s]*noexec[\s]*=[\s]*off</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-detail-idm46361750891808"><div class="keywords sr-only">Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-83972-0 </div><div class="panel-heading"><h3 class="panel-title">Restrict Exposed Kernel Pointer Addresses Access</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kptr_restrict:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83972-0">CCE-83972-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002824</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr></pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kptr_restrict = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Exposing kernel pointers (through procfs or <code>seq_printf()</code>) exposes kernel
>writeable structures which may contain functions pointers. If a write vulnerability
>occurs in the kernel, allowing write access to any of this structure, the kernel can
>be compromised. This option disallow any program without the CAP_SYSLOG capability
>to get the addresses of kernel pointers by replacing them with 0.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145182576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145182576"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "kernel.kptr_restrict" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>sysctl_kernel_kptr_restrict_value='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr>'
>
>
>#
># Set runtime for kernel.kptr_restrict
>#
>/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
>
>#
># If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
>#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.kptr_restrict")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^kernel.kptr_restrict\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83972-0"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145175344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145175344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*kernel.kptr_restrict.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83972-0
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SC-30
>  - NIST-800-53-SC-30(2)
>  - NIST-800-53-SC-30(5)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_kptr_restrict
>
>- name: Comment out any occurrences of kernel.kptr_restrict from config files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*kernel.kptr_restrict
>    replace: '#kernel.kptr_restrict'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83972-0
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SC-30
>  - NIST-800-53-SC-30(2)
>  - NIST-800-53-SC-30(5)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_kptr_restrict
>- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
>  set_fact:
>    sysctl_kernel_kptr_restrict_value: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr>
>  tags:
>    - always
>
>- name: Ensure sysctl kernel.kptr_restrict is set
>  sysctl:
>    name: kernel.kptr_restrict
>    value: '{{ sysctl_kernel_kptr_restrict_value }}'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83972-0
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SC-30
>  - NIST-800-53-SC-30(2)
>  - NIST-800-53-SC-30(5)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_kptr_restrict
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145170608" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145170608"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,kernel.kptr_restrict%3D1%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_kernel_kptr_restrict:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kptr_restrict set to 1 or 2</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kptr_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idm46361750887808"><div class="keywords sr-only">Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-83971-2 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_randomize_va_space:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83971-2">CCE-83971-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002824</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.5.3</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.randomize_va_space = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Address space layout randomization (ASLR) makes it more difficult for an
>attacker to predict the location of attack code they have introduced into a
>process's address space during an attempt at exploitation. Additionally,
>ASLR makes it more difficult for an attacker to know the location of
>existing code in order to re-purpose it using return oriented programming
>(ROP) techniques.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145129152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145129152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "kernel.randomize_va_space" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>
>#
># Set runtime for kernel.randomize_va_space
>#
>/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
>
>#
># If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
>#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.randomize_va_space")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "2"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^kernel.randomize_va_space\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83971-2"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145123488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145123488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*kernel.randomize_va_space.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83971-2
>  - NIST-800-171-3.1.7
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SC-30
>  - NIST-800-53-SC-30(2)
>  - PCI-DSS-Req-2.2.1
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_randomize_va_space
>
>- name: Comment out any occurrences of kernel.randomize_va_space from config files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*kernel.randomize_va_space
>    replace: '#kernel.randomize_va_space'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83971-2
>  - NIST-800-171-3.1.7
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SC-30
>  - NIST-800-53-SC-30(2)
>  - PCI-DSS-Req-2.2.1
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_randomize_va_space
>
>- name: Ensure sysctl kernel.randomize_va_space is set to 2
>  sysctl:
>    name: kernel.randomize_va_space
>    value: '2'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83971-2
>  - NIST-800-171-3.1.7
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SC-30
>  - NIST-800-53-SC-30(2)
>  - PCI-DSS-Req-2.2.1
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_randomize_va_space
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145119680" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145119680"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,kernel.randomize_va_space%3D2%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.randomize_va_space static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.randomize_va_space set to 2</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.randomize_va_space</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-detail-idm46361750956416"><div class="keywords sr-only">Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-83952-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Kernel Message Buffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_dmesg_restrict:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83952-2">CCE-83952-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.dmesg_restrict = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unprivileged access to the kernel syslog can expose sensitive kernel
>address information.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145718384" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145718384"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "kernel.dmesg_restrict" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>
>#
># Set runtime for kernel.dmesg_restrict
>#
>/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"
>
>#
># If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
>#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.dmesg_restrict")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "1"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^kernel.dmesg_restrict\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83952-2"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145713056" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145713056"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*kernel.dmesg_restrict.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83952-2
>  - NIST-800-171-3.1.5
>  - NIST-800-53-SI-11(a)
>  - NIST-800-53-SI-11(b)
>  - disable_strategy
>  - low_complexity
>  - low_severity
>  - medium_disruption
>  - reboot_required
>  - sysctl_kernel_dmesg_restrict
>
>- name: Comment out any occurrences of kernel.dmesg_restrict from config files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*kernel.dmesg_restrict
>    replace: '#kernel.dmesg_restrict'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83952-2
>  - NIST-800-171-3.1.5
>  - NIST-800-53-SI-11(a)
>  - NIST-800-53-SI-11(b)
>  - disable_strategy
>  - low_complexity
>  - low_severity
>  - medium_disruption
>  - reboot_required
>  - sysctl_kernel_dmesg_restrict
>
>- name: Ensure sysctl kernel.dmesg_restrict is set to 1
>  sysctl:
>    name: kernel.dmesg_restrict
>    value: '1'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83952-2
>  - NIST-800-171-3.1.5
>  - NIST-800-53-SI-11(a)
>  - NIST-800-53-SI-11(b)
>  - disable_strategy
>  - low_complexity
>  - low_severity
>  - medium_disruption
>  - reboot_required
>  - sysctl_kernel_dmesg_restrict
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145709424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145709424"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,kernel.dmesg_restrict%3D1%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.dmesg_restrict set to 1</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.dmesg_restrict</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" id="rule-detail-idm46361750952416"><div class="keywords sr-only">Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-83954-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Image Loading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kexec_load_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83954-8">CCE-83954-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kexec_load_disabled=1</pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kexec_load_disabled = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling kexec_load allows greater control of the kernel memory.
>It makes it impossible to load another kernel image after it has been disabled.
></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145696384" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145696384"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "kernel.kexec_load_disabled" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>
>#
># Set runtime for kernel.kexec_load_disabled
>#
>/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"
>
>#
># If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1"
>#	else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.kexec_load_disabled")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "1"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^kernel.kexec_load_disabled\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83954-8"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145690704" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145690704"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*kernel.kexec_load_disabled.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83954-8
>  - NIST-800-53-CM-6
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_kexec_load_disabled
>
>- name: Comment out any occurrences of kernel.kexec_load_disabled from config files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*kernel.kexec_load_disabled
>    replace: '#kernel.kexec_load_disabled'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83954-8
>  - NIST-800-53-CM-6
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_kexec_load_disabled
>
>- name: Ensure sysctl kernel.kexec_load_disabled is set to 1
>  sysctl:
>    name: kernel.kexec_load_disabled
>    value: '1'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83954-8
>  - NIST-800-53-CM-6
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_kexec_load_disabled
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145687184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145687184"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,kernel.kexec_load_disabled%3D1%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kexec_load_disabled set to 1</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kexec_load_disabled</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" id="rule-detail-idm46361750929488"><div class="keywords sr-only">Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-83957-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Access to Network bpf() Syscall From Unprivileged Processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83957-1">CCE-83957-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.unprivileged_bpf_disabled = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Loading and accessing the packet filters programs and maps using the bpf()
>syscall has the potential of revealing sensitive information about the kernel state.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145537424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145537424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>
>#
># Set runtime for kernel.unprivileged_bpf_disabled
>#
>/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1"
>
>#
># If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1"
>#	else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.unprivileged_bpf_disabled")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "1"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^kernel.unprivileged_bpf_disabled\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83957-1"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145531648" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145531648"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*kernel.unprivileged_bpf_disabled.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83957-1
>  - NIST-800-53-AC-6
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_unprivileged_bpf_disabled
>
>- name: Comment out any occurrences of kernel.unprivileged_bpf_disabled from config
>    files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*kernel.unprivileged_bpf_disabled
>    replace: '#kernel.unprivileged_bpf_disabled'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83957-1
>  - NIST-800-53-AC-6
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_unprivileged_bpf_disabled
>
>- name: Ensure sysctl kernel.unprivileged_bpf_disabled is set to 1
>  sysctl:
>    name: kernel.unprivileged_bpf_disabled
>    value: '1'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83957-1
>  - NIST-800-53-AC-6
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_unprivileged_bpf_disabled
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145527984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145527984"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.unprivileged_bpf_disabled</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-detail-idm46361750922736"><div class="keywords sr-only">Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-83965-4 </div><div class="panel-heading"><h3 class="panel-title">Restrict usage of ptrace to descendant processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83965-4">CCE-83965-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R25)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.yama.ptrace_scope = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unrestricted usage of ptrace allows compromised binaries to run ptrace
>on another processes of the user. Like this, the attacker can steal
>sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
>without any additional assistance from the user (i.e. without resorting to phishing).
></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145479616" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145479616"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "kernel.yama.ptrace_scope" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>
>#
># Set runtime for kernel.yama.ptrace_scope
>#
>/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"
>
>#
># If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1"
>#	else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.yama.ptrace_scope")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "1"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^kernel.yama.ptrace_scope\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83965-4"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145473968" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145473968"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*kernel.yama.ptrace_scope.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83965-4
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_yama_ptrace_scope
>
>- name: Comment out any occurrences of kernel.yama.ptrace_scope from config files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*kernel.yama.ptrace_scope
>    replace: '#kernel.yama.ptrace_scope'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83965-4
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_yama_ptrace_scope
>
>- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1
>  sysctl:
>    name: kernel.yama.ptrace_scope
>    value: '1'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83965-4
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_kernel_yama_ptrace_scope
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145470448" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145470448"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,kernel.yama.ptrace_scope%3D1%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.yama.ptrace_scope set to 1</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.yama.ptrace_scope</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" id="rule-detail-idm46361750918736"><div class="keywords sr-only">Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-83966-2 </div><div class="panel-heading"><h3 class="panel-title">Harden the operation of the BPF just-in-time compiler</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_core_bpf_jit_harden:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83966-2">CCE-83966-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.core.bpf_jit_harden</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.core.bpf_jit_harden=2</pre>
>To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.core.bpf_jit_harden = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">When hardened, the extended Berkeley Packet Filter just-in-time compiler
>will randomize any kernel addresses in the BPF programs and maps,
>and will not expose the JIT addresses in <code>/proc/kallsyms</code>.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145456272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145456272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
># Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files
>
>for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
>
>  matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq )
>  if ! test -z "$matching_list"; then
>    while IFS= read -r entry; do
>      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
>      # comment out "net.core.bpf_jit_harden" matches to preserve user data
>      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
>    done &lt;&lt;&lt; "$matching_list"
>  fi
>done
>
>#
># Set runtime for net.core.bpf_jit_harden
>#
>/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2"
>
>#
># If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2"
>#	else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf
>#
># Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
># Otherwise, regular sed command will do.
>sed_command=('sed' '-i')
>if test -L "/etc/sysctl.conf"; then
>    sed_command+=('--follow-symlinks')
>fi
>
># Strip any search characters in the key arg so that the key can be replaced without
># adding any search characters to the config file.
>stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^net.core.bpf_jit_harden")
>
># shellcheck disable=SC2059
>printf -v formatted_output "%s = %s" "$stripped_key" "2"
>
># If the key exists, change it. Otherwise, add it to the config_file.
># We search for the key string followed by a word boundary (matched by \&gt;),
># so if we search for 'setting', 'setting2' won't match.
>if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\&gt;" "/etc/sysctl.conf"; then
>    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
>    "${sed_command[@]}" "s/^net.core.bpf_jit_harden\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
>else
>    # \n is precaution for case where file ends without trailing newline
>    cce="CCE-83966-2"
>    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
>    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145450640" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145450640"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
>  find:
>    paths:
>    - /etc/sysctl.d/
>    - /run/sysctl.d/
>    - /usr/local/lib/sysctl.d/
>    contains: ^[\s]*net.core.bpf_jit_harden.*$
>    patterns: '*.conf'
>    file_type: any
>  register: find_sysctl_d
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83966-2
>  - NIST-800-53-CM-6
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_net_core_bpf_jit_harden
>
>- name: Comment out any occurrences of net.core.bpf_jit_harden from config files
>  replace:
>    path: '{{ item.path }}'
>    regexp: ^[\s]*net.core.bpf_jit_harden
>    replace: '#net.core.bpf_jit_harden'
>  loop: '{{ find_sysctl_d.files }}'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83966-2
>  - NIST-800-53-CM-6
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_net_core_bpf_jit_harden
>
>- name: Ensure sysctl net.core.bpf_jit_harden is set to 2
>  sysctl:
>    name: net.core.bpf_jit_harden
>    value: '2'
>    state: present
>    reload: true
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-83966-2
>  - NIST-800-53-CM-6
>  - NIST-800-53-SC-7(10)
>  - disable_strategy
>  - low_complexity
>  - medium_disruption
>  - medium_severity
>  - reboot_required
>  - sysctl_net_core_bpf_jit_harden
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145445520" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145445520"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,net.core.bpf_jit_harden%3D2%0A
>        mode: 0644
>        path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_etc_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /run/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_run_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_usr_local_lib_sysctld:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_not_defined:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
>            oval:ssg-object_static_etc_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
>            oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
>          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.core.bpf_jit_harden set to 2</span>Â 
>        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.core.bpf_jit_harden</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" id="rule-detail-idm46361750830800"><div class="keywords sr-only">Enable the auditadm_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content mediumCCE-84090-0 </div><div class="panel-heading"><h3 class="panel-title">Enable the auditadm_exec_content SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_auditadm_exec_content:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84090-0">CCE-84090-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">80424-5</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>auditadm_exec_content</code> is enabled.
>If this setting is disabled, it should be enabled.
>
>To enable the <code>auditadm_exec_content</code> SELinux boolean, run the following command:
><pre>$ sudo setsebool -P auditadm_exec_content on</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">auditadm_exec_content is configured correctly</span>Â 
>        <span class="label label-default">oval:ssg-test_sebool_auditadm_exec_content:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>auditadm_exec_content</td><td role="num">true</td><td role="num">true</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm46361750846576"><div class="keywords sr-only">Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-84074-4 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_policytype:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84074-4">CCE-84074-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="">SRG-OS-000445-VMM-001780</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux <code>targeted</code> policy is appropriate for
>general-purpose desktops and servers, as well as systems in many other roles.
>To configure the system to use this policy, add or correct the following line
>in <code>/etc/selinux/config</code>:
><pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre>
>Other policies, such as <code>mls</code>, provide additional security labeling
>and greater confinement but are not compatible with many general-purpose
>use cases.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux policy to <code>targeted</code> or a more specialized policy
>ensures the system will confine processes that are likely to be
>targeted for exploitation, such as network or system services.
><br><br>
>Note: During the development or debugging of SELinux modules, it is common to
>temporarily place non-production systems in <code>permissive</code> mode. In such
>temporary cases, SELinux policies should be developed, and once work
>is completed, the system should be reconfigured to
><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file</span>Â 
>        <span class="label label-default">oval:ssg-test_selinux_policy:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUXTYPE=targeted
>
>
></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm46361750841776"><div class="keywords sr-only">Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-84079-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_state:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84079-3">CCE-84079-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R4)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001084</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000134-GPOS-00068</a>, <a href="">SRG-OS-000445-VMM-001780</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.1.5</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at
>system boot time.  In the file <code>/etc/selinux/config</code>, add or correct the
>following line to configure the system to boot into enforcing mode:
><pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux state to enforcing ensures SELinux is able to confine
>potentially compromised processes to the security policy, which is designed to
>prevent them from causing damage to the system or further elevating their
>privileges.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/selinux/enforce is 1</span>Â 
>        <span class="label label-default">oval:ssg-test_etc_selinux_config:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUX=enforcing</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" id="rule-detail-idm46361750221344"><div class="keywords sr-only">Disable Avahi Server Softwarexccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled mediumCCE-90824-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Avahi Server Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_avahi-daemon_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90824-4">CCE-90824-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.2</a></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>avahi-daemon</code> service can be disabled with the following command:
><pre>$ sudo systemctl mask --now avahi-daemon.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Because the Avahi daemon service keeps an open network
>port, it is subject to network attacks. Its functionality
>is convenient but is only appropriate if the local network
>can be trusted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package avahi is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_avahi-daemon_package_avahi_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_avahi-daemon_package_avahi_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>avahi</td></tr></tbody></table><h4><span class="label label-primary">Test that the avahi-daemon service is not running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_not_running_avahi-daemon:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of avahi-daemon">oval:ssg-obj_service_not_running_avahi-daemon:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^avahi-daemon\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service avahi-daemon is masked</span>Â 
>        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_avahi-daemon:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of avahi-daemon">oval:ssg-obj_service_loadstate_is_masked_avahi-daemon:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^avahi-daemon\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" id="rule-detail-idm46361750096816"><div class="keywords sr-only">Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed mediumCCE-84224-5 </div><div class="panel-heading"><h3 class="panel-title">Install fapolicyd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_fapolicyd_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_fapolicyd_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84224-5">CCE-84224-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001774</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>fapolicyd</code> package can be installed with the following command:
><pre>
>$ sudo dnf install fapolicyd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>fapolicyd</code> (File Access Policy Daemon)
>implements application whitelisting to decide file access rights.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135881088" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362135881088"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>if ! rpm -q --quiet "fapolicyd" ; then
>    dnf install -y "fapolicyd"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135878544" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135878544"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure fapolicyd is installed
>  package:
>    name: fapolicyd
>    state: present
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-84224-5
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SI-4(22)
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - package_fapolicyd_installed
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135876160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135876160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_fapolicyd
>
>class install_fapolicyd {
>  package { 'fapolicyd':
>    ensure =&gt; 'installed',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135873984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135873984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
>package --add=fapolicyd
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135871968" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135871968"><pre><code>
>[[packages]]
>name = "fapolicyd"
>version = "*"
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package fapolicyd is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_fapolicyd_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_fapolicyd_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>fapolicyd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" id="rule-detail-idm46361750092816"><div class="keywords sr-only">Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled mediumCCE-84227-8 </div><div class="panel-heading"><h3 class="panel-title">Enable the File Access Policy Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_fapolicyd_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84227-8">CCE-84227-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001774</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</a></p></td></tr><tr><td>Description</td><td><div class="description">The File Access Policy service should be enabled.
>
>The <code>fapolicyd</code> service can be enabled with the following command:
><pre>$ sudo systemctl enable fapolicyd.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>fapolicyd</code> service (File Access Policy Daemon)
>implements application whitelisting to decide file access rights.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135857344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362135857344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>SYSTEMCTL_EXEC='/usr/bin/systemctl'
>"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service'
>"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
>"$SYSTEMCTL_EXEC" enable 'fapolicyd.service'
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135854608" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135854608"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service fapolicyd
>  block:
>
>  - name: Gather the package facts
>    package_facts:
>      manager: auto
>
>  - name: Enable service fapolicyd
>    service:
>      name: fapolicyd
>      enabled: 'yes'
>      state: started
>      masked: 'no'
>    when:
>    - '"fapolicyd" in ansible_facts.packages'
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-84227-8
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-SI-4(22)
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - service_fapolicyd_enabled
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135852000" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135852000"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_fapolicyd
>
>class enable_fapolicyd {
>  service {'fapolicyd':
>    enable =&gt; true,
>    ensure =&gt; 'running',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135849824" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135849824"><pre><code>
>[customizations.services]
>enabled = ["fapolicyd"]
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package fapolicyd is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>fapolicyd</td></tr></tbody></table><h4><span class="label label-primary">Test that the fapolicyd service is running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_running_fapolicyd:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of fapolicyd">oval:ssg-obj_service_running_fapolicyd:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^fapolicyd\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_fapolicyd:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-detail-idm46361749995776"><div class="keywords sr-only">The Chrony package is installedxccdf_org.ssgproject.content_rule_package_chrony_installed mediumCCE-84215-3 </div><div class="panel-heading"><h3 class="panel-title">The Chrony package is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_chrony_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_chrony_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84215-3">CCE-84215-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.6.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description">System time should be synchronized between all systems in an environment. This is
>typically done by establishing an authoritative time server or set of servers and having all
>systems synchronize their clocks to them.
>The <code>chrony</code> package can be installed with the following command:
><pre>
>$ sudo dnf install chrony</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Time synchronization is important to support time sensitive security mechanisms like
>Kerberos and also ensures log files have consistent time records across the enterprise,
>which aids in forensic investigations.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_chrony_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>1.el9</td><td>4.3</td><td>0:4.3-1.el9</td><td>199e2f91fd431d51</td><td>chrony-0:4.3-1.el9.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_chronyd_enabled" id="rule-detail-idm46361749989744"><div class="keywords sr-only">The Chronyd service is enabledxccdf_org.ssgproject.content_rule_service_chronyd_enabled mediumCCE-84217-9 </div><div class="panel-heading"><h3 class="panel-title">The Chronyd service is enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_chronyd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_chronyd_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84217-9">CCE-84217-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="">0988</a>, <a href="">1405</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</a></p></td></tr><tr><td>Description</td><td><div class="description">chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
>synchronize system clocks across a variety of systems and use a source that is highly
>accurate. More information on chrony can be found at
>
>    <a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</a>.
>Chrony can be configured to be a client and/or a server.
>To enable Chronyd service, you can run:
><code># systemctl enable chronyd.service</code>
>This recommendation only applies if chrony is in use on the system.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If chrony is in use on the system proper configuration is vital to ensuring time
>synchronization is working properly.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_chronyd_package_chrony_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>1.el9</td><td>4.3</td><td>0:4.3-1.el9</td><td>199e2f91fd431d51</td><td>chrony-0:4.3-1.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the chronyd service is running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_running_chronyd:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>chronyd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd_socket:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-detail-idm46361749967520"><div class="keywords sr-only">A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-84218-7 </div><div class="panel-heading"><h3 class="panel-title">A remote time server for Chrony is configured</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-chronyd_specify_remote_server:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84218-7">CCE-84218-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001891</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to
>synchronize system clocks across a variety of systems and use a source that is highly
>accurate. More information on <code>chrony</code> can be found at
>
>    <a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</a>.
><code>Chrony</code> can be configured to be a client and/or a server.
>Add or edit server or pool lines to <code>/etc/chrony.conf</code> as appropriate:
><pre>server &lt;remote-server&gt;</pre>
>Multiple servers may be configured.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If <code>chrony</code> is in use on the system proper configuration is vital to ensuring time
>synchronization is working properly.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure at least one NTP server is set</span>Â 
>        <span class="label label-default">oval:ssg-test_chronyd_remote_server:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/chrony.conf</td><td>pool 2.rhel.pool.ntp.org iburst</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-detail-idm46361749954000"><div class="keywords sr-only">Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-84155-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall xinetd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xinetd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_xinetd_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84155-1">CCE-84155-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000305</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>xinetd</code> package can be removed with the following command:
><pre>
>$ sudo dnf erase xinetd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the <code>xinetd</code> package decreases the risk of the
>xinetd service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package xinetd is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_xinetd_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_xinetd_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>xinetd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled" id="rule-detail-idm46361749950016"><div class="keywords sr-only">Disable xinetd Servicexccdf_org.ssgproject.content_rule_service_xinetd_disabled mediumCCE-84156-9 </div><div class="panel-heading"><h3 class="panel-title">Disable xinetd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_xinetd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_xinetd_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84156-9">CCE-84156-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000305</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>xinetd</code> service can be disabled with the following command:
><pre>$ sudo systemctl mask --now xinetd.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The xinetd service provides a dedicated listener service for some programs,
>which is no longer necessary for commonly-used network services. Disabling
>it ensures that these uncommon services are not running, and also prevents
>attacks against xinetd itself.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package xinetd is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_xinetd_package_xinetd_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_xinetd_package_xinetd_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>xinetd</td></tr></tbody></table><h4><span class="label label-primary">Test that the xinetd service is not running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_not_running_xinetd:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of xinetd">oval:ssg-obj_service_not_running_xinetd:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^xinetd\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service xinetd is masked</span>Â 
>        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_xinetd:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of xinetd">oval:ssg-obj_service_loadstate_is_masked_xinetd:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^xinetd\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-detail-idm46361749946032"><div class="keywords sr-only">Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed unknownCCE-84151-0 </div><div class="panel-heading"><h3 class="panel-title">Remove NIS Client</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypbind_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_ypbind_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84151-0">CCE-84151-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The Network Information Service (NIS), formerly known as Yellow Pages,
>is a client-server directory service protocol used to distribute system configuration
>files. The NIS client (<code>ypbind</code>) was used to bind a system to an NIS server
>and receive the distributed configuration files.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The NIS service is inherently an insecure system that has been vulnerable
>to DOS attacks, buffer overflows and has poor authentication for querying
>NIS maps. NIS generally has been replaced by such protocols as Lightweight
>Directory Access Protocol (LDAP). It is recommended that the service be
>removed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package ypbind is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_ypbind_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_ypbind_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>ypbind</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idm46361749936640"><div class="keywords sr-only">Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-84143-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh-server_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84143-7">CCE-84143-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsh-server</code> package can be removed with the following command:
><pre>
>$ sudo dnf erase rsh-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsh-server</code> service provides unencrypted remote access service which does not
>provide for the confidentiality and integrity of user passwords or the remote session and has very weak
>authentication. If a privileged user were to login using this service, the privileged user password
>could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure
>network services. Removing it decreases the risk of those services' accidental (or intentional)
>activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_rsh-server_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh-server_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-detail-idm46361749932640"><div class="keywords sr-only">Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed unknownCCE-84142-9 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84142-9">CCE-84142-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>rsh</code> package contains the client commands
>
>for the rsh services</div></td></tr><tr><td>Rationale</td><td><div class="rationale">These legacy clients contain numerous security exposures and have
>been replaced with the more secure SSH package. Even if the server is removed,
>it is best to ensure the clients are also removed to prevent users from
>inadvertently attempting to use these commands and therefore exposing
>
>their credentials. Note that removing the <code>rsh</code> package removes
>
>the clients for <code>rsh</code>,<code>rcp</code>, and <code>rlogin</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_rsh_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-detail-idm46361749917888"><div class="keywords sr-only">Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-84158-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk-server_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84158-5">CCE-84158-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo dnf erase talk-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols
>for communications. Removing the <code>talk-server</code> package decreases the
>risk of the accidental (or intentional) activation of talk services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_talk-server_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk-server_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-detail-idm46361749913888"><div class="keywords sr-only">Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed mediumCCE-84157-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84157-7">CCE-84157-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk</code> package contains the client program for the
>Internet talk protocol, which allows the user to chat with other users on
>different systems. Talk is a communication program which copies lines from one
>terminal to the terminal of another user.
>The <code>talk</code> package can be removed with the following command:
><pre>
>$ sudo dnf erase talk</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols
>for communications. Removing the <code>talk</code> package decreases the
>risk of the accidental (or intentional) activation of talk client program.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_talk_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idm46361749909920"><div class="keywords sr-only">Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-84149-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet-server_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84149-4">CCE-84149-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.13</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>telnet-server</code> package can be removed with the following command:
><pre>
>$ sudo dnf erase telnet-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is detrimental for operating systems to provide, or install by default,
>functionality exceeding requirements or mission objectives. These
>unnecessary capabilities are often overlooked and therefore may remain
>unsecure. They increase the risk to the platform by providing additional
>attack vectors.
><br>
>The telnet service provides an unencrypted remote access service which does
>not provide for the confidentiality and integrity of user passwords or the
>remote session. If a privileged user were to login using this service, the
>privileged user password could be compromised.
><br>
>Removing the <code>telnet-server</code> package decreases the risk of the
>telnet service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_telnet-server_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet-server_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-detail-idm46361749905920"><div class="keywords sr-only">Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-84146-0 </div><div class="panel-heading"><h3 class="panel-title">Remove telnet Clients</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84146-0">CCE-84146-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The telnet client allows users to start connections to other systems via
>the telnet protocol.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>telnet</code> protocol is insecure and unencrypted. The use
>of an unencrypted transmission medium could allow an unauthorized user
>to steal credentials. The <code>ssh</code> package provides an
>encrypted session and stronger security and is included in Red Hat Enterprise Linux 9.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_telnet_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled" id="rule-detail-idm46361749901936"><div class="keywords sr-only">Disable telnet Servicexccdf_org.ssgproject.content_rule_service_telnet_disabled highCCE-84150-2 </div><div class="panel-heading"><h3 class="panel-title">Disable telnet Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_telnet_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_telnet_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84150-2">CCE-84150-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">Make sure that the activation of the <code>telnet</code> service on system boot is disabled.
>
>The <code>telnet</code> socket can be disabled with the following command:
><pre>$ sudo systemctl mask --now telnet.socket</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The telnet protocol uses unencrypted network communication, which means that data from the
>login session, including passwords and all other information transmitted during the session,
>can be stolen by eavesdroppers on the network. The telnet protocol is also subject to
>man-in-the-middle attacks.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                If the system relies on <code>xinetd</code> to manage telnet sessions, ensure the telnet service
>is disabled by the following line: <code>disable = yes</code>. Note that the xinetd file for
>telnet is not created automatically, therefore it might have different names.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_telnet_package_telnet-server_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_telnet_package_telnet-server_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet-server</td></tr></tbody></table><h4><span class="label label-primary">Test that the telnet service is not running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_not_running_telnet:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of telnet">oval:ssg-obj_service_not_running_telnet:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^telnet\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service telnet is masked</span>Â 
>        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_telnet:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of telnet">oval:ssg-obj_service_loadstate_is_masked_telnet:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^telnet\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_squid_removed" id="rule-detail-idm46361749884480"><div class="keywords sr-only">Uninstall squid Packagexccdf_org.ssgproject.content_rule_package_squid_removed unknownCCE-84238-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall squid Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_squid_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_squid_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84238-5">CCE-84238-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.11</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>squid</code> package can be removed with the following command: <pre> $ sudo dnf erase squid</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If there is no need to make the proxy server software available,
>removing it provides a safeguard against its activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package squid is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_squid_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_squid_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>squid</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_squid_disabled" id="rule-detail-idm46361749880512"><div class="keywords sr-only">Disable Squidxccdf_org.ssgproject.content_rule_service_squid_disabled unknownCCE-84239-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Squid</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_squid_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_squid_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84239-3">CCE-84239-3</abbr></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>squid</code> service can be disabled with the following command:
><pre>$ sudo systemctl mask --now squid.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Running proxy server software provides a network-based avenue
>of attack, and should be removed if not needed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package squid is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_squid_package_squid_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_squid_package_squid_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>squid</td></tr></tbody></table><h4><span class="label label-primary">Test that the squid service is not running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_not_running_squid:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of squid">oval:ssg-obj_service_not_running_squid:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^squid\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service squid is masked</span>Â 
>        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_squid:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of squid">oval:ssg-obj_service_loadstate_is_masked_squid:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^squid\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_quagga_removed" id="rule-detail-idm46361749871776"><div class="keywords sr-only">Uninstall quagga Packagexccdf_org.ssgproject.content_rule_package_quagga_removed lowCCE-84191-6 </div><div class="panel-heading"><h3 class="panel-title">Uninstall quagga Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_quagga_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_quagga_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84191-6">CCE-84191-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>quagga</code> package can be removed with the following command: <pre> $ sudo dnf erase quagga</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Routing software is typically used on routers to exchange network topology information
>with other routers. If routing software is used when not required, system network
>information may be unnecessarily transmitted across the network.
><br>
>If there is no need to make the router software available,
>removing it provides a safeguard against its activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package quagga is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_quagga_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_quagga_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>quagga</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_snmpd_disabled" id="rule-detail-idm46361749855584"><div class="keywords sr-only">Disable snmpd Servicexccdf_org.ssgproject.content_rule_service_snmpd_disabled lowCCE-90832-7 </div><div class="panel-heading"><h3 class="panel-title">Disable snmpd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_snmpd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_snmpd_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90832-7">CCE-90832-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="">1311</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>snmpd</code> service can be disabled with the following command:
><pre>$ sudo systemctl mask --now snmpd.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Running SNMP software provides a network-based avenue of attack, and
>should be disabled if not needed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package net-snmp is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_snmpd_package_net-snmp_removed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_snmpd_package_net-snmp_removed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>net-snmp</td></tr></tbody></table><h4><span class="label label-primary">Test that the snmpd service is not running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_not_running_snmpd:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of snmpd">oval:ssg-obj_service_not_running_snmpd:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^snmpd\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service snmpd is masked</span>Â 
>        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_snmpd:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of snmpd">oval:ssg-obj_service_loadstate_is_masked_snmpd:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^snmpd\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" id="rule-detail-idm46361749849552"><div class="keywords sr-only">Configure SNMP Service to Use Only SNMPv3 or Newerxccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol mediumCCE-87293-7 </div><div class="panel-heading"><h3 class="panel-title">Configure SNMP Service to Use Only SNMPv3 or Newer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-87293-7">CCE-87293-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="">1311</a></p></td></tr><tr><td>Description</td><td><div class="description">Edit <code>/etc/snmp/snmpd.conf</code>, removing any references to <code>rocommunity</code>, <code>rwcommunity</code>, or <code>com2sec</code>.
>Upon doing that, restart the SNMP service:
><pre>$ sudo service snmpd restart</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Earlier versions of SNMP are considered insecure, as they potentially allow
>unauthorized access to detailed system management information.</div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-detail-idm46361749804288"><div class="keywords sr-only">Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-90816-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Host-Based Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_host_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-disable_host_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90816-0">CCE-90816-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.8</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH's cryptographic host-based authentication is
>more secure than <code>.rhosts</code> authentication. However, it is
>not recommended that hosts unilaterally trust one another, even
>within an organization.
><br>
>The default SSH configuration disables host-based authentication. The appropriate
>configuration is used if no value is set for <code>HostbasedAuthentication</code>.
><br>
>To explicitly disable host-based authentication, add or correct the
>following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>HostbasedAuthentication no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH trust relationships mean a compromise on one host
>can allow an attacker to move trivially to other hosts.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131292528" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362131292528"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "HostbasedAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "HostbasedAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131287728" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362131287728"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable Host-Based Authentication
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
>      line: HostbasedAuthentication no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90816-0
>  - CJIS-5.5.6
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-AC-3
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - disable_host_auth
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131281776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362131281776"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
>        mode: 0600
>        path: /etc/ssh/sshd_config
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_disable_host_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_host_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_disable_host_auth_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_host_auth_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" id="rule-detail-idm46361749799504"><div class="keywords sr-only">Enable SSH Server firewalld Firewall Exceptionxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled mediumCCE-89175-4 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Server firewalld Firewall Exception</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-firewalld_sshd_port_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-89175-4">CCE-89175-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="">1416</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a></p></td></tr><tr><td>Description</td><td><div class="description">If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
>remote access through SSH. In more restrictive firewalld settings, the SSH port should be
>added to the proper firewalld zone in order to allow SSH remote access.
><br><br>
>
>
>
>To configure <code>firewalld</code> to allow <code>ssh</code> access, run the following command(s):
><pre>firewall-cmd --permanent --add-service=ssh</pre>
>
>Then run the following command to load the newly created rule(s):
><pre>firewall-cmd --reload</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone
>will allow remote access through the SSH port.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                The remediation for this rule uses <code>firewall-cmd</code> and <code>nmcli</code> tools.
>Therefore, it will only be executed if <code>firewalld</code> and <code>NetworkManager</code>
>services are running. Otherwise, the remediation will be aborted and a informative message
>will be shown in the remediation report.
>These respective services will not be started in order to preserve any intentional change
>in network components related to firewall and network interfaces.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule also checks if the SSH port was modified by the administrator in the firewalld
>services definitions and is reflecting the expected port number. Although this is checked,
>fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it
>is not in the scope of the remediation since there is no reliable way to manually change
>the respective file. If the default SSH port is modified, it is on the administrator
>responsibility to ensure the firewalld customizations in the service port level are
>properly configured.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131248976" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362131248976"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>if ! rpm -q --quiet "firewalld" ; then
>    dnf install -y "firewalld"
>fi
>if ! rpm -q --quiet "NetworkManager" ; then
>    dnf install -y "NetworkManager"
>fi
>firewalld_sshd_zone='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_firewalld_sshd_zone">public</abbr>'
>
>
>if systemctl is-active NetworkManager &amp;&amp; systemctl is-active firewalld; then
>    # First make sure the SSH service is enabled in run-time for the proper zone.
>    # This is to avoid connection issues when new interfaces are addeded to this zone.
>    firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh
>
>    # This will collect all NetworkManager connections names
>    readarray -t nm_connections &lt; &lt;(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
>    # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
>    # This will not change connections which are already assigned to any firewalld zone.
>    for connection in "${nm_connections[@]}"; do
>        current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
>        if [ $current_zone = "--" ]; then
>            nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
>        fi
>    done
>    systemctl restart NetworkManager
>
>    # Active zones are zones with at least one interface assigned to it.
>    # It is possible that traffic is comming by any active interface and consequently any
>    # active zone. So, this make sure all active zones are permanently allowing SSH service.
>    readarray -t firewalld_active_zones &lt; &lt;(firewall-cmd --get-active-zones | grep -v interfaces)
>    for zone in "${firewalld_active_zones[@]}"; do
>        firewall-cmd --permanent --zone="$zone" --add-service=ssh
>    done
>    firewall-cmd --reload
>else
>    echo "
>    firewalld and NetworkManager services are not active. Remediation aborted!
>    This remediation could not be applied because it depends on firewalld and NetworkManager services running.
>    The service is not started by this remediation in order to prevent connection issues."
>    exit 1
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131241824" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362131241824"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: XCCDF Value firewalld_sshd_zone # promote to variable
>  set_fact:
>    firewalld_sshd_zone: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_firewalld_sshd_zone">public</abbr>
>  tags:
>    - always
>
>- name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld and NetworkManager
>    packages are installed
>  ansible.builtin.package:
>    name: '{{ item }}'
>    state: present
>  with_items:
>  - firewalld
>  - NetworkManager
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-89175-4
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(b)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - configure_strategy
>  - firewalld_sshd_port_enabled
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>
>- name: Enable SSH Server firewalld Firewall Exception - Collect facts about system
>    services
>  ansible.builtin.service_facts: null
>  register: result_services_states
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-89175-4
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(b)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - configure_strategy
>  - firewalld_sshd_port_enabled
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>
>- name: Enable SSH Server firewalld Firewall Exception - Remediation is applicable
>    if firewalld and NetworkManager services are running
>  block:
>
>  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
>      connections names
>    ansible.builtin.shell:
>      cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
>    register: result_nmcli_cmd_connections_names
>    changed_when: false
>
>  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
>      connections zones
>    ansible.builtin.shell:
>      cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print
>        $2}'
>    register: result_nmcli_cmd_connections_zones
>    changed_when: false
>    with_items:
>    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'
>
>  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
>      are assigned to a firewalld zone
>    ansible.builtin.command:
>      cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone
>        }}
>    register: result_nmcli_cmd_connections_assignment
>    with_together:
>    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'
>    - '{{ result_nmcli_cmd_connections_zones.results }}'
>    when:
>    - item.1.stdout == '--'
>
>  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
>      changes are applied
>    ansible.builtin.service:
>      name: NetworkManager
>      state: restarted
>    when:
>    - result_nmcli_cmd_connections_assignment is changed
>
>  - name: Enable SSH Server firewalld Firewall Exception - Collect firewalld active
>      zones
>    ansible.builtin.shell:
>      cmd: firewall-cmd --get-active-zones | grep -v interfaces
>    register: result_firewall_cmd_zones_names
>    changed_when: false
>
>  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld zones
>      allow SSH
>    ansible.builtin.command:
>      cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
>    register: result_nmcli_cmd_connections_assignment
>    changed_when:
>    - '''ALREADY_ENABLED'' not in result_nmcli_cmd_connections_assignment.stderr'
>    with_items:
>    - '{{ result_firewall_cmd_zones_names.stdout_lines }}'
>
>  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld changes
>      are applied
>    ansible.builtin.service:
>      name: firewalld
>      state: reloaded
>    when:
>    - result_nmcli_cmd_connections_assignment is changed
>  when:
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  - ansible_facts.services['firewalld.service'].state == 'running'
>  - ansible_facts.services['NetworkManager.service'].state == 'running'
>  tags:
>  - CCE-89175-4
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(b)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - configure_strategy
>  - firewalld_sshd_port_enabled
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>
>- name: Enable SSH Server firewalld Firewall Exception - Informative message based
>    on services states
>  ansible.builtin.assert:
>    that:
>    - ansible_facts.services['firewalld.service'].state == 'running'
>    - ansible_facts.services['NetworkManager.service'].state == 'running'
>    fail_msg:
>    - firewalld and NetworkManager services are not active. Remediation aborted!
>    - This remediation could not be applied because it depends on firewalld and NetworkManager
>      services running.
>    - The service is not started by this remediation in order to prevent connection
>      issues.
>    success_msg:
>    - Enable SSH Server firewalld Firewall Exception remediation successfully executed
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-89175-4
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(b)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - configure_strategy
>  - firewalld_sshd_port_enabled
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">All NICs must have a firewalld zone defined in their settings</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_all_nics_in_zones:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_network_conf_files_count:obj:1</abbr></strong> of type
>                <strong>variable_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th></tr></thead><tbody><tr><td>oval:ssg-var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count:var:1</td></tr></tbody></table><h4><span class="label label-primary">SSH service is defined in all zones delivered in the firewalld package</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_zone_files_usr:obj:1</abbr></strong> of type
>                <strong>xmlfilecontent_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Xpath</th></tr></thead><tbody><tr><td>^(dmz|external|home|internal|public|trusted|work)\.xml$</td><td>/usr/lib/firewalld/zones</td><td>/zone/service[@name='ssh']</td></tr></tbody></table><h4><span class="label label-primary">there is no equivalent zone file defined by the administrator in /etc dir</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_usr_zones_not_overridden:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_customized_zone_files:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>^(dmz|external|home|internal|public|trusted|work)\.xml$</td><td>no value</td><td>/etc/firewalld/zones</td></tr></tbody></table><h4><span class="label label-primary">SSH service is defined in all zones created or modified by the administrator</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:obj:1</abbr></strong> of type
>                <strong>variable_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th></tr></thead><tbody><tr><td>oval:ssg-var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:var:1</td></tr></tbody></table><h4><span class="label label-primary">SSH service is interger in the /usr/lib/firewalld/services dir</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_usr:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_usr:obj:1</abbr></strong> of type
>                <strong>xmlfilecontent_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Xpath</th></tr></thead><tbody><tr><td>/usr/lib/firewalld/services/ssh.xml</td><td>/service/port[@port='22']</td></tr></tbody></table><h4><span class="label label-primary">SSH service is properly configured in /etc/firewalld/services dir</span>Â 
>        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_etc:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_etc:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/firewalld/services/ssh.xml</td><td>&lt;port.*port="(\d+)"</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-detail-idm46361749794688"><div class="keywords sr-only">Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-90812-9 </div><div class="panel-heading"><h3 class="panel-title">Allow Only SSH Protocol 2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_allow_only_protocol2:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90812-9">CCE-90812-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000197</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0487</a>, <a href="">1449</a>, <a href="">1506</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000074-GPOS-00042</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000033-VMM-000140</a></p></td></tr><tr><td>Description</td><td><div class="description">Only SSH protocol version 2 connections should be
>permitted. The default setting in
><code>/etc/ssh/sshd_config</code> is correct, and can be
>verified by ensuring that the following
>line appears:
><pre>Protocol 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH protocol version 1 is an insecure implementation of the SSH protocol and
>has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
>immediate root access to the system.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                As of <code>openssh-server</code> version <code>7.4</code> and above, the only protocol
>supported is version 2, and line <pre>Protocol 2</pre> in
><code>/etc/ssh/sshd_config</code> is not necessary.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">OpenSSH is version 7.4 or higher</span>Â 
>        <span class="label label-default">oval:ssg-test_openssh-server_version:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">sshd uses protocol 2</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_allow_only_protocol2:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sshd_allow_only_protocol2:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-detail-idm46361749787168"><div class="keywords sr-only">Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-90799-8 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Access via Empty Passwords</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_empty_passwords:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90799-8">CCE-90799-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000766</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000106-GPOS-00053</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.9</a></p></td></tr><tr><td>Description</td><td><div class="description">Disallow SSH login with empty passwords.
>The default SSH configuration disables logins with empty passwords. The appropriate
>configuration is used if no value is set for <code>PermitEmptyPasswords</code>.
><br>
>To explicitly disallow SSH login from accounts with empty passwords,
>add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><br>
><pre>PermitEmptyPasswords no</pre>
>Any accounts with empty passwords should be disabled immediately, and PAM configuration
>should prevent users from being able to assign themselves empty passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Configuring this setting for the SSH daemon provides additional assurance
>that remote login via SSH will require a password, even in the event of
>misconfiguration elsewhere.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130991456" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130991456"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "PermitEmptyPasswords no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "PermitEmptyPasswords no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130986048" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130986048"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Access via Empty Passwords
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
>      line: PermitEmptyPasswords no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90799-8
>  - CJIS-5.5.6
>  - NIST-800-171-3.1.1
>  - NIST-800-171-3.1.5
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - PCI-DSS-Req-2.2.6
>  - high_severity
>  - low_complexity
>  - low_disruption
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_empty_passwords
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_empty_passwords:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_empty_passwords:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-detail-idm46361749782352"><div class="keywords sr-only">Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-90808-7 </div><div class="panel-heading"><h3 class="panel-title">Disable GSSAPI Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_gssapi_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90808-7">CCE-90808-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">Unless needed, SSH should not permit extraneous or unnecessary
>authentication mechanisms like GSSAPI.
><br>
>The default SSH configuration disallows authentications based on GSSAPI. The appropriate
>configuration is used if no value is set for <code>GSSAPIAuthentication</code>.
><br>
>To explicitly disable GSSAPI authentication, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>GSSAPIAuthentication no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">GSSAPI authentication is used to provide additional authentication mechanisms to
>applications. Allowing GSSAPI authentication through SSH exposes the system's
>GSSAPI to remote hosts, increasing the attack surface of the system.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130942448" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130942448"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "GSSAPIAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "GSSAPIAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130938288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130938288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable GSSAPI Authentication
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter GSSAPIAuthentication is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
>      line: GSSAPIAuthentication no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90808-7
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_gssapi_auth
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_gssapi_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_gssapi_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d/50-redhat.conf</td><td>GSSAPIAuthentication yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-detail-idm46361749777552"><div class="keywords sr-only">Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-90802-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_kerb_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90802-0">CCE-90802-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">Unless needed, SSH should not permit extraneous or unnecessary
>authentication mechanisms like Kerberos.
><br>
>The default SSH configuration disallows authentication validation through Kerberos.
>The appropriate configuration is used if no value is set for <code>KerberosAuthentication</code>.
><br>
>To explicitly disable Kerberos authentication, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>KerberosAuthentication no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
>is enabled through SSH, the SSH daemon provides a means of access to the
>system's Kerberos implementation. 
>Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. </div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130887360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130887360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "KerberosAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "KerberosAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130881552" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130881552"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable Kerberos Authentication
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter KerberosAuthentication is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
>      line: KerberosAuthentication no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90802-0
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_kerb_auth
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_kerb_auth:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_kerb_auth:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_kerb_auth_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-detail-idm46361749770688"><div class="keywords sr-only">Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-90797-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for .rhosts Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_rhosts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90797-2">CCE-90797-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000107-VMM-000530</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.11</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH can emulate the behavior of the obsolete rsh
>command in allowing users to enable insecure access to their
>accounts via <code>.rhosts</code> files.
><br>
>The default SSH configuration disables support for <code>.rhosts</code>. The appropriate
>configuration is used if no value is set for <code>IgnoreRhosts</code>.
><br>
>To explicitly disable support for .rhosts files, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>IgnoreRhosts yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH trust relationships mean a compromise on one host
>can allow an attacker to move trivially to other hosts.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130782000" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130782000"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "IgnoreRhosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "IgnoreRhosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130777296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130777296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Support for .rhosts Files
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
>      line: IgnoreRhosts yes
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90797-2
>  - CJIS-5.5.6
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_rhosts
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_rhosts:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_rhosts:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_rhosts_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm46361749763200"><div class="keywords sr-only">Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-90800-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_root_login:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90800-4">CCE-90800-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R21)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000770</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000109-GPOS-00056</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.7</a></p></td></tr><tr><td>Description</td><td><div class="description">The root user should never be allowed to login to a
>system directly over a network.
>To disable root login via SSH, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>PermitRootLogin no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Even though the communications channel may be encrypted, an additional layer of
>security is gained by extending the policy of not logging directly on as root.
>In addition, logging in with a user-specific account provides individual
>accountability of actions performed on the system and also helps to minimize
>direct attack attempts on root's password.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130617184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130617184"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>
>LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>else
>    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>
>cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "PermitRootLogin no" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>    printf '%s\n' "PermitRootLogin no" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130612640" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130612640"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Root Login
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>      create: true
>      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
>      line: PermitRootLogin no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90800-4
>  - CJIS-5.5.6
>  - NIST-800-171-3.1.1
>  - NIST-800-171-3.1.5
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-AC-6(2)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - NIST-800-53-IA-2
>  - NIST-800-53-IA-2(5)
>  - PCI-DSS-Req-2.2.6
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_root_login
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_root_login:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_root_login:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_root_login_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_root_login_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" id="rule-detail-idm46361749753632"><div class="keywords sr-only">Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-90796-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for User Known Hosts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_user_known_hosts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90796-4">CCE-90796-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH can allow system users to connect to systems if a cache of the remote
>systems public keys is available.  This should be disabled.
><br><br>
>To ensure this behavior is disabled, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>IgnoreUserKnownHosts yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Configuring this setting for the SSH daemon provides additional
>assurance that remote login via SSH will require a password, even
>in the event of misconfiguration elsewhere.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130541168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130541168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>
>LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>else
>    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>
>cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "IgnoreUserKnownHosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>    printf '%s\n' "IgnoreUserKnownHosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130536576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130536576"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Support for User Known Hosts
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter IgnoreUserKnownHosts is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>      create: true
>      regexp: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
>      line: IgnoreUserKnownHosts yes
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90796-4
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_user_known_hosts
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_user_known_hosts:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_user_known_hosts:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_user_known_hosts_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_user_known_hosts_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding" id="rule-detail-idm46361749748816"><div class="keywords sr-only">Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-90798-0 </div><div class="panel-heading"><h3 class="panel-title">Disable X11 Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_x11_forwarding:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90798-0">CCE-90798-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.12</a></p></td></tr><tr><td>Description</td><td><div class="description">The X11Forwarding parameter provides the ability to tunnel X11 traffic
>through the connection to enable remote graphic connections.
>SSH has the capability to encrypt remote X11 connections when SSH's
><code>X11Forwarding</code> option is enabled.
><br>
>The default SSH configuration disables X11Forwarding. The appropriate
>configuration is used if no value is set for <code>X11Forwarding</code>.
><br>
>To explicitly disable X11 Forwarding, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>X11Forwarding no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disable X11 forwarding unless there is an operational requirement to use X11
>applications directly. There is a small risk that the remote X11 servers of
>users who are logged in via SSH with X11 forwarding could be compromised by
>other users on the X11 server. Note that even if X11 forwarding is disabled,
>users can always install their own forwarders.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130517792" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130517792"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "X11Forwarding no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "X11Forwarding no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130512432" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130512432"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable X11 Forwarding
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter X11Forwarding is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
>      line: X11Forwarding no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90798-0
>  - NIST-800-53-CM-6(b)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_disable_x11_forwarding
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_x11_forwarding:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_x11_forwarding:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of X11Forwarding setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_disable_x11_forwarding_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d/50-redhat.conf</td><td>X11Forwarding yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-detail-idm46361749744000"><div class="keywords sr-only">Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-90803-8 </div><div class="panel-heading"><h3 class="panel-title">Do Not Allow SSH Environment Options</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_do_not_permit_user_env:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90803-8">CCE-90803-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that users are not able to override environment variables of the SSH daemon.
><br>
>The default SSH configuration disables environment processing. The appropriate
>configuration is used if no value is set for <code>PermitUserEnvironment</code>.
><br>
>To explicitly disable Environment options, add or correct the following
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>PermitUserEnvironment no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH environment options potentially allow users to bypass
>access restriction in some configurations.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130474672" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130474672"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "PermitUserEnvironment no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "PermitUserEnvironment no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130469872" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130469872"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Do Not Allow SSH Environment Options
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
>      line: PermitUserEnvironment no
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90803-8
>  - CJIS-5.5.6
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - NIST-800-53-CM-7(a)
>  - NIST-800-53-CM-7(b)
>  - PCI-DSS-Req-2.2.6
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_do_not_permit_user_env
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_do_not_permit_user_env:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_do_not_permit_user_env:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_do_not_permit_user_env_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-detail-idm46361749731728"><div class="keywords sr-only">Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-90809-5 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Strict Mode Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_enable_strictmodes:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90809-5">CCE-90809-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">SSHs <code>StrictModes</code> option checks file and ownership permissions in
>the user's home directory <code>.ssh</code> folder before accepting login. If world-
>writable permissions are found, logon is rejected.
><br>
>The default SSH configuration has <code>StrictModes</code> enabled. The appropriate
>configuration is used if no value is set for <code>StrictModes</code>.
><br>
>To explicitly enable <code>StrictModes</code> in SSH, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>StrictModes yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If other users have access to modify user-specific SSH configuration files, they
>may be able to log into the system as another user.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130349296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130349296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "StrictModes yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "StrictModes yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130343456" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130343456"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Enable Use of Strict Mode Checking
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter StrictModes is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
>      line: StrictModes yes
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90809-5
>  - NIST-800-171-3.1.12
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-AC-6
>  - NIST-800-53-CM-6(a)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_enable_strictmodes
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of StrictModes setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_enable_strictmodes:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_strictmodes:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of StrictModes setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_enable_strictmodes_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_strictmodes_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-detail-idm46361749726928"><div class="keywords sr-only">Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-90807-9 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_enable_warning_banner:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90807-9">CCE-90807-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000048</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000050</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001384</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001385</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001386</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001387</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001388</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_TAB.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</a>, <a href="">SRG-OS-000023-VMM-000060</a>, <a href="">SRG-OS-000024-VMM-000070</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.15</a></p></td></tr><tr><td>Description</td><td><div class="description">To enable the warning banner and ensure it is consistent
>across the system, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>Banner /etc/issue</pre>
>Another section contains information on how to create an
>appropriate system-wide warning banner.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The warning message reinforces policy awareness during the logon process and
>facilitates possible legal action against attackers. Alternatively, systems
>whose ownership should not be obvious should ensure usage of a banner that does
>not provide easy attribution.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130290288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130290288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>
>LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>else
>    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>
>cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "Banner /etc/issue" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>    printf '%s\n' "Banner /etc/issue" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130285792" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130285792"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Enable SSH Warning Banner
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
>      create: true
>      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
>      line: Banner /etc/issue
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90807-9
>  - CJIS-5.5.6
>  - NIST-800-171-3.1.9
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-AC-8(a)
>  - NIST-800-53-AC-8(c)
>  - NIST-800-53-CM-6(a)
>  - PCI-DSS-Req-2.2.6
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_enable_warning_banner
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of Banner setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_enable_warning_banner:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_warning_banner:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of Banner setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_enable_warning_banner_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-detail-idm46361749715280"><div class="keywords sr-only">Enable SSH Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-90804-6 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Print Last Log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_print_last_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_print_last_log:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90804-6">CCE-90804-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000052</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that SSH will display the date and time of the last successful account logon.
><br>
>The default SSH configuration enables print of the date and time of the last login.
>The appropriate configuration is used if no value is set for <code>PrintLastLog</code>.
><br>
>To explicitly enable LastLog in SSH, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>PrintLastLog yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Providing users feedback on when account accesses last occurred facilitates user
>recognition and reporting of unauthorized account use.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130076944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130076944"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "PrintLastLog yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "PrintLastLog yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130072240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130072240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Enable SSH Print Last Log
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter PrintLastLog is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
>      line: PrintLastLog yes
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90804-6
>  - NIST-800-53-AC-9
>  - NIST-800-53-AC-9(1)
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_print_last_log
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_print_last_log:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_print_last_log:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PrintLastLog setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_print_last_log_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_print_last_log_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" id="rule-detail-idm46361749705104"><div class="keywords sr-only">Set LogLevel to INFOxccdf_org.ssgproject.content_rule_sshd_set_loglevel_info lowCCE-90813-7 </div><div class="panel-heading"><h3 class="panel-title">Set LogLevel to INFO</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_loglevel_info:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90813-7">CCE-90813-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.5</a></p></td></tr><tr><td>Description</td><td><div class="description">The INFO parameter specifices that record login and logout activity will be logged.
><br>
>The default SSH configuration sets the log level to INFO. The appropriate
>configuration is used if no value is set for <code>LogLevel</code>.
><br>
>To explicitly specify the log level in SSH, add or correct the following line in
>
>
><code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:
>
><pre>LogLevel INFO</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH provides several logging levels with varying amounts of verbosity. <code>DEBUG</code> is specifically
>not recommended other than strictly for debugging SSH communications since it provides
>so much data that it is difficult to identify important security information. <code>INFO</code> level is the
>basic level that only records login activity of SSH users. In many situations, such as Incident
>Response, it is important to determine when a particular user was active on a system. The
>logout record can eliminate those users who disconnected, which helps narrow the field.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130009920" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130009920"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>mkdir -p /etc/ssh/sshd_config.d
>touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>
>LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
>LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
>if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>
>cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "LogLevel INFO" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    printf '%s\n' "LogLevel INFO" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130003952" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130003952"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Set LogLevel to INFO
>  block:
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
>      state: absent
>
>  - name: Check if /etc/ssh/sshd_config.d exists
>    stat:
>      path: /etc/ssh/sshd_config.d
>    register: _etc_ssh_sshd_config_d_exists
>
>  - name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d
>    find:
>      paths: /etc/ssh/sshd_config.d
>      recurse: 'yes'
>      follow: 'no'
>      contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
>    register: _etc_ssh_sshd_config_d_has_parameter
>    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir
>
>  - name: Remove parameter from files in /etc/ssh/sshd_config.d
>    lineinfile:
>      path: '{{ item.path }}'
>      create: false
>      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
>      state: absent
>    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
>    when: _etc_ssh_sshd_config_d_has_parameter.matched
>
>  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>    lineinfile:
>      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
>      create: true
>      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
>      line: LogLevel INFO
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90813-7
>  - NIST-800-53-AC-17(a)
>  - NIST-800-53-CM-6(a)
>  - low_complexity
>  - low_disruption
>  - low_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_set_loglevel_info
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of LogLevel setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_set_loglevel_info:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_set_loglevel_info:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of LogLevel setting in the /etc/ssh/sshd_config.d file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_set_loglevel_info_config_dir:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_set_loglevel_info_config_dir:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" id="rule-detail-idm46361749697600"><div class="keywords sr-only">Set SSH authentication attempt limitxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries mediumCCE-90810-3 </div><div class="panel-heading"><h3 class="panel-title">Set SSH authentication attempt limit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_max_auth_tries:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90810-3">CCE-90810-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.16</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts
>permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
>to set MaxAUthTries edit <code>/etc/ssh/sshd_config</code> as follows:
><pre>MaxAuthTries <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value">5</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
>brute force attacks to the SSH server.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129956464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129956464"><pre><code># Remediation is applicable only in certain platforms
>if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then
>
>sshd_max_auth_tries_value='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value">5</abbr>'
>
>
>if [ -e "/etc/ssh/sshd_config" ] ; then
>    
>    LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
>else
>    touch "/etc/ssh/sshd_config"
>fi
># make sure file has newline at the end
>sed -i -e '$a\' "/etc/ssh/sshd_config"
>
>cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
># Insert before the line matching the regex '^Match'.
>line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
>if [ -z "$line_number" ]; then
>    # There was no match of '^Match', insert at
>    # the end of the file.
>    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" &gt;&gt; "/etc/ssh/sshd_config"
>else
>    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" &gt; "/etc/ssh/sshd_config"
>    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" &gt;&gt; "/etc/ssh/sshd_config"
>    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" &gt;&gt; "/etc/ssh/sshd_config"
>fi
># Clean up after ourselves.
>rm "/etc/ssh/sshd_config.bak"
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129953280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129953280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value sshd_max_auth_tries_value # promote to variable
>  set_fact:
>    sshd_max_auth_tries_value: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value">5</abbr>
>  tags:
>    - always
>
>- name: Set SSH authentication attempt limit
>  block:
>
>  - name: Check for duplicate values
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*MaxAuthTries\s+
>      state: absent
>    check_mode: true
>    changed_when: false
>    register: dupes
>
>  - name: Deduplicate values from /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: false
>      regexp: (?i)^\s*MaxAuthTries\s+
>      state: absent
>    when: dupes.found is defined and dupes.found &gt; 1
>
>  - name: Insert correct line to /etc/ssh/sshd_config
>    lineinfile:
>      path: /etc/ssh/sshd_config
>      create: true
>      regexp: (?i)^\s*MaxAuthTries\s+
>      line: MaxAuthTries {{ sshd_max_auth_tries_value }}
>      state: present
>      insertbefore: ^[#\s]*Match
>      validate: /usr/sbin/sshd -t -f %s
>  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-90810-3
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - restrict_strategy
>  - sshd_set_max_auth_tries
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">maxauthtries is configured</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_max_auth_tries:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sshd_max_auth_tries:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration" id="rule-detail-idm46361749686576"><div class="keywords sr-only">Distribute the SSH Server configuration to multiple files in a config directory.xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration mediumCCE-87681-3 </div><div class="panel-heading"><h3 class="panel-title">Distribute the SSH Server configuration to multiple files in a config directory.</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_use_directory_configuration:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-87681-3">CCE-87681-3</abbr></p></td></tr><tr><td>Description</td><td><div class="description">Make sure to have the <code>Include /etc/ssh/sshd_config.d/*.conf</code> line in the <code>/etc/ssh/sshd_config</code> file.
>Ideally, don't have any active configuration directives in that file, and distribute the service configuration
>to several files in the <code>/etc/ssh/sshd_config.d</code> directory.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the <code>/etc/ssh/sshd_config.d</code> config directory are effective, there has to be a rule that ensures this.
>Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the presence of 'Include /etc/ssh/sshd_config.d/*.conf' setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_includes_config_files:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>Include /etc/ssh/sshd_config.d/*.conf
></td></tr></tbody></table><h4><span class="label label-primary">tests the absence of match setting in the /etc/ssh/sshd_config file</span>Â 
>        <span class="label label-default">oval:ssg-test_sshd_use_directory_configuration_default_not_overriden:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_use_directory_configuration_default_not_overriden:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)match(?-i)\s+\S+</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idm46361749826528"><div class="keywords sr-only">Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-90820-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_sshd_private_key:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90820-2">CCE-90820-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.2</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions.
>If those files are owned by the <code>root</code> user and the <code>root</code> group, they have to have the <code>0600</code> permission or stricter.
>If they are owned by the <code>root</code> user, but by a dedicated group <code>ssh_keys</code>, they can have the <code>0640</code> permission or stricter.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If an unauthorized user obtains the private SSH host key file, the host could be
>impersonated.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No keys that have unsafe ownership/permissions combination exist</span>Â 
>        <span class="label label-default">oval:ssg-test_no_offending_keys:tst:1</span>Â 
>        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="All keys in /etc/ssh with unsafe ownership/permission combination">oval:ssg-object_offending_keys:obj:1</abbr></strong> of type
>                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/ssh</td><td>.*_key$</td><td>oval:ssg-exclude_symlinks__sshd_private_key:ste:1</td><td>oval:ssg-filter_ssh_key_owner_root:ste:1</td><td>oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_usbguard_installed" id="rule-detail-idm46361749660176"><div class="keywords sr-only">Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-84203-9 </div><div class="panel-heading"><h3 class="panel-title">Install usbguard Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_usbguard_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_usbguard_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84203-9">CCE-84203-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-001958</a>, <a href="">1418</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</a></p></td></tr><tr><td>Description</td><td><div class="description">
>The <code>usbguard</code> package can be installed with the following command:
><pre>
>$ sudo dnf install usbguard</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>usbguard</code> is a software framework that helps to protect
>against rogue USB devices by implementing basic whitelisting/blacklisting
>capabilities based on USB device attributes.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129578880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129578880"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if ! grep -q s390x /proc/sys/kernel/osrelease; then
>
>if ! rpm -q --quiet "usbguard" ; then
>    dnf install -y "usbguard"
>fi
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129576512" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129576512"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure usbguard is installed
>  package:
>    name: usbguard
>    state: present
>  when: ansible_architecture != "s390x"
>  tags:
>  - CCE-84203-9
>  - NIST-800-53-CM-8(3)
>  - NIST-800-53-IA-3
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - package_usbguard_installed
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129574192" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129574192"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_usbguard
>
>class install_usbguard {
>  package { 'usbguard':
>    ensure =&gt; 'installed',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129572016" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129572016"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
>package --add=usbguard
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129570000" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129570000"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>  extensions:
>    - usbguard
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129568864" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129568864"><pre><code>
>[[packages]]
>name = "usbguard"
>version = "*"
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package usbguard is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_package_usbguard_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_usbguard_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>usbguard</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_usbguard_enabled" id="rule-detail-idm46361749656176"><div class="keywords sr-only">Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-84205-4 </div><div class="panel-heading"><h3 class="panel-title">Enable the USBGuard Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_usbguard_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_usbguard_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84205-4">CCE-84205-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="https://public.cyber.mil/stigs/cci/">CCI-000416</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001958</a>, <a href="">1418</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</a></p></td></tr><tr><td>Description</td><td><div class="description">The USBGuard service should be enabled.
>
>The <code>usbguard</code> service can be enabled with the following command:
><pre>$ sudo systemctl enable usbguard.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>usbguard</code> service must be running in order to
>enforce the USB device authorization policy for all USB devices.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129554624" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129554624"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
>if ! grep -q s390x /proc/sys/kernel/osrelease &amp;&amp; { [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; }; then
>
>SYSTEMCTL_EXEC='/usr/bin/systemctl'
>"$SYSTEMCTL_EXEC" unmask 'usbguard.service'
>"$SYSTEMCTL_EXEC" start 'usbguard.service'
>"$SYSTEMCTL_EXEC" enable 'usbguard.service'
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129551808" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129551808"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service usbguard
>  block:
>
>  - name: Gather the package facts
>    package_facts:
>      manager: auto
>
>  - name: Enable service usbguard
>    service:
>      name: usbguard
>      enabled: 'yes'
>      state: started
>      masked: 'no'
>    when:
>    - '"usbguard" in ansible_facts.packages'
>  when:
>  - ansible_architecture != "s390x"
>  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
>  tags:
>  - CCE-84205-4
>  - NIST-800-53-CM-8(3)(a)
>  - NIST-800-53-IA-3
>  - enable_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - service_usbguard_enabled
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129549168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129549168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_usbguard
>
>class enable_usbguard {
>  service {'usbguard':
>    enable =&gt; true,
>    ensure =&gt; 'running',
>  }
>}
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129546992" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129546992"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>metadata:
>  annotations:
>    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    systemd:
>      units:
>      - name: usbguard.service
>        enabled: true
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129545696" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129545696"><pre><code>
>[customizations.services]
>enabled = ["usbguard"]
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package usbguard is installed</span>Â 
>        <span class="label label-default">oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1</abbr></strong> of type
>                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>usbguard</td></tr></tbody></table><h4><span class="label label-primary">Test that the usbguard service is running</span>Â 
>        <span class="label label-default">oval:ssg-test_service_running_usbguard:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of usbguard">oval:ssg-obj_service_running_usbguard:obj:1</abbr></strong> of type
>                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^usbguard\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_usbguard:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
>        <span class="label label-default">oval:ssg-test_multi_user_wants_usbguard_socket:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" id="rule-detail-idm46361749646800"><div class="keywords sr-only">Authorize Human Interface Devices and USB hubs in USBGuard daemonxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub mediumCCE-84210-4 </div><div class="panel-heading"><h3 class="panel-title">Authorize Human Interface Devices and USB hubs in USBGuard daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-usbguard_allow_hid_and_hub:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
>            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84210-4">CCE-84210-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
>            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</a></p></td></tr><tr><td>Description</td><td><div class="description">To allow authorization of USB devices combining human interface device and hub capabilities
>by USBGuard daemon,
>add the line
><code>allow with-interface match-all { 03:*:* 09:00:* }</code>
>to <code>/etc/usbguard/rules.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without allowing Human Interface Devices, it might not be possible
>to interact with the system. Without allowing hubs, it might not be possible to use any
>USB devices on the system.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
>                                This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129480288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129480288"><pre><code># Remediation is applicable only in certain platforms
>if ! grep -q s390x /proc/sys/kernel/osrelease; then
>
>echo "allow with-interface match-all { 03:*:* 09:00:* }" &gt;&gt; /etc/usbguard/rules.conf
>
>else
>    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
>fi
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129478992" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129478992"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: allow HID devices and hubs
>  lineinfile:
>    path: /etc/usbguard/rules.conf
>    create: true
>    line: allow with-interface match-all { 03:*:* 09:00:* }
>    state: present
>  when: ansible_architecture != "s390x"
>  tags:
>  - CCE-84210-4
>  - NIST-800-53-CM-8(3)
>  - NIST-800-53-IA-3
>  - configure_strategy
>  - low_complexity
>  - low_disruption
>  - medium_severity
>  - no_reboot_needed
>  - usbguard_allow_hid_and_hub
></code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129476576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129476576"><pre><code>---
>apiVersion: machineconfiguration.openshift.io/v1
>kind: MachineConfig
>metadata:
>  annotations:
>    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
>spec:
>  config:
>    ignition:
>      version: 3.1.0
>    storage:
>      files:
>      - contents:
>          source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }}
>        mode: 0600
>        path: /etc/usbguard/rules.d/75-hid-and-hub.conf
>        overwrite: true
></code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists</span>Â 
>        <span class="label label-default">oval:ssg-test_usbguard_rules_nonempty:tst:1</span>Â 
>        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_usbguard_rules_nonempty:obj:1</abbr></strong> of type
>                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/usbguard/(rules|rules\.d/.*)\.conf$</td><td>^.*\S+.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><a href="#result-details" class="btn btn-info noprint">Scroll back to the first rule</a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered
>trademarks or trademarks of Red Hat, Inc. in the United States and other
>countries. All other names are registered trademarks or trademarks of their
>respective companies.</div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit">
>                Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.3.7</p></div></footer></body></html>

<!DOCTYPE html><html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_ism_o | OpenSCAP Evaluation Report</title><style>
/*!
 * Bootstrap v3.3.7 (http://getbootstrap.com)
 * Copyright 2011-2016 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 */

/*!
 * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf)
 * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf
 *//*!
 * Bootstrap v3.3.7 (http://getbootstrap.com)
 * Copyright 2011-2016 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}
table.treetable span.indenter{display:inline-block;margin:0;padding:0;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=)}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC)}table.treetable tr.branch{background-color:#f9f9f9}table.treetable tr.selected{background-color:#3875d7;color:#fff}table.treetable tr span.indenter a{outline:0}tr.rule-overview-needs-attention td a{color:#d9534f}td.rule-result div,span.rule-result{text-align:center;font-weight:bold;color:#fff;background:gray}td.rule-result-fail div,span.rule-result-fail{background:#d9534f}td.rule-result-error div,span.rule-result-error{background:#d9534f}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e}td.rule-result-pass div,span.rule-result-pass{background:#5cb85c}td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c}.js-only{display:none}.rule-result-filtered,.rule-result-filtered>*{display:none !important}.search-no-match,.search-no-match>*{display:none !important}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f}#footer{text-align:center;margin-top:50px}pre{overflow:auto !important;word-wrap:normal !important;white-space:pre-wrap}div.check-system-details,div.remediation,div.description{width:0;min-width:100%;overflow-x:auto}div.profile-description{white-space:pre-wrap}div.modal-body{margin:50px;padding:0}div.horizontal-scroll{overflow-x:auto}div.top-spacer-10{margin-top:10px}@media print{.noprint{display:none}.label{border:0;padding:0}.container{width:100%}abbr[title]{border:0;text-decoration:none}div.progress{overflow:visible;height:auto}div.progress-bar{width:auto;float:none;width:auto !important;text-align:left}div.panel-body{padding:4px}}</style><script>
/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0;
}return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{
marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({
padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n});
(function(c){var b,d,a;b=(function(){function e(h,f,g){var j;this.row=h;this.tree=f;this.settings=g;this.id=this.row.data(this.settings.nodeIdAttr);j=this.row.data(this.settings.parentIdAttr);if(j!=null&&j!==""){this.parentId=j}this.treeCell=c(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=c(this.settings.expanderTemplate);this.indenter=c(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter)}e.prototype.addChild=function(f){return this.children.push(f)};e.prototype.ancestors=function(){var f,g;g=this;f=[];while(g=g.parentNode()){f.push(g)}return f};e.prototype.collapse=function(){if(this.collapsed()){return this}this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null){this.settings.onNodeCollapse.apply(this)}return this};e.prototype.collapsed=function(){return this.row.hasClass("collapsed")};e.prototype.expand=function(){if(this.expanded()){return this}this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null){this.settings.onNodeExpand.apply(this)}if(c(this.row).is(":visible")){this._showChildren()}this.expander.attr("title",this.settings.stringCollapse);return this};e.prototype.expanded=function(){return this.row.hasClass("expanded")};e.prototype.hide=function(){this._hideChildren();this.row.hide();return this};e.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true){return true}else{return false}};e.prototype.updateBranchLeafClass=function(){this.row.removeClass("branch");this.row.removeClass("leaf");this.row.addClass(this.isBranchNode()?"branch":"leaf")};e.prototype.level=function(){return this.ancestors().length};e.prototype.parentNode=function(){if(this.parentId!=null){return this.tree[this.parentId]}else{return null}};e.prototype.removeChild=function(g){var f=c.inArray(g,this.children);return this.children.splice(f,1)};e.prototype.render=function(){var g,f=this.settings,h;if(f.expandable===true&&this.isBranchNode()){g=function(j){c(this).parents("table").treetable("node",c(this).parents("tr").data(f.nodeIdAttr)).toggle();return j.preventDefault()};this.indenter.html(this.expander);h=f.clickableNodeNames===true?this.treeCell:this.expander;h.off("click.treetable").on("click.treetable",g);h.off("keydown.treetable").on("keydown.treetable",function(j){if(j.keyCode==13){g.apply(this,[j])}})}this.indenter[0].style.paddingLeft=""+(this.level()*f.indent)+"px";return this};e.prototype.reveal=function(){if(this.parentId!=null){this.parentNode().reveal()}return this.expand()};e.prototype.setParent=function(f){if(this.parentId!=null){this.tree[this.parentId].removeChild(this)}this.parentId=f.id;this.row.data(this.settings.parentIdAttr,f.id);return f.addChild(this)};e.prototype.show=function(){if(!this.initialized){this._initialize()}this.row.show();if(this.expanded()){this._showChildren()}return this};e.prototype.toggle=function(){if(this.expanded()){this.collapse()}else{this.expand()}return this};e.prototype._hideChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.hide())}return f};e.prototype._initialize=function(){var f=this.settings;this.render();if(f.expandable===true&&f.initialState==="collapsed"){this.collapse()}else{this.expand()}if(f.onNodeInitialized!=null){f.onNodeInitialized.apply(this)}return this.initialized=true};e.prototype._showChildren=function(){var k,j,g,h,f;h=this.children;f=[];for(j=0,g=h.length;j<g;j++){k=h[j];f.push(k.show())}return f};return e})();d=(function(){function e(g,f){this.table=g;this.settings=f;this.tree={};this.nodes=[];this.roots=[]}e.prototype.collapseAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.collapse())}return f};e.prototype.expandAll=function(){var h,k,g,j,f;j=this.nodes;f=[];for(k=0,g=j.length;k<g;k++){h=j[k];f.push(h.expand())}return f};e.prototype.findLastNode=function(f){if(f.children.length>0){return this.findLastNode(f.children[f.children.length-1])}else{return f}};e.prototype.loadRows=function(h){var g,j,f;if(h!=null){for(f=0;f<h.length;f++){j=c(h[f]);if(j.data(this.settings.nodeIdAttr)!=null){g=new b(j,this.tree,this.settings);this.nodes.push(g);this.tree[g.id]=g;if(g.parentId!=null&&this.tree[g.parentId]){this.tree[g.parentId].addChild(g)}else{this.roots.push(g)}}}}for(f=0;f<this.nodes.length;f++){g=this.nodes[f].updateBranchLeafClass()}return this};e.prototype.move=function(h,f){var g=h.parentNode();if(h!==f&&f.id!==h.parentId&&c.inArray(h,f.ancestors())===-1){h.setParent(f);this._moveRows(h,f);if(h.parentNode().children.length===1){h.parentNode().render()}}if(g){g.updateBranchLeafClass()}if(h.parentNode()){h.parentNode().updateBranchLeafClass()}h.updateBranchLeafClass();return this};e.prototype.removeNode=function(f){this.unloadBranch(f);f.row.remove();if(f.parentId!=null){f.parentNode().removeChild(f)}delete this.tree[f.id];this.nodes.splice(c.inArray(f,this.nodes),1);return this};e.prototype.render=function(){var g,j,f,h;h=this.roots;for(j=0,f=h.length;j<f;j++){g=h[j];g.show()}return this};e.prototype.sortBranch=function(g,f){g.children.sort(f);this._sortChildRows(g);return this};e.prototype.unloadBranch=function(h){var g=h.children.slice(0),f;for(f=0;f<g.length;f++){this.removeNode(g[f])}h.children=[];h.updateBranchLeafClass();return this};e.prototype._moveRows=function(j,f){var h=j.children,g;j.row.insertAfter(f.row);j.render();for(g=h.length-1;g>=0;g--){this._moveRows(h[g],j)}};e.prototype._sortChildRows=function(f){return this._moveRows(f,f)};return e})();a={init:function(e,g){var f;f=c.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'>&nbsp;</a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},e);return this.each(function(){var j=c(this),h;if(g||j.data("treetable")===undefined){h=new d(this,f);h.loadRows(this.rows).render();j.addClass("treetable").data("treetable",h);if(f.onInitialized!=null){f.onInitialized.apply(h)}}return j})},destroy:function(){return this.each(function(){return c(this).removeData("treetable").removeClass("treetable")})},collapseAll:function(){this.data("treetable").collapseAll();return this},collapseNode:function(f){var e=this.data("treetable").tree[f];if(e){e.collapse()}else{throw new Error("Unknown node '"+f+"'")}return this},expandAll:function(){this.data("treetable").expandAll();return this},expandNode:function(f){var e=this.data("treetable").tree[f];if(e){if(!e.initialized){e._initialize()}e.expand()}else{throw new Error("Unknown node '"+f+"'")}return this},loadBranch:function(h,j){var f=this.data("treetable").settings,e=this.data("treetable").tree;j=c(j);if(h==null){this.append(j)}else{var g=this.data("treetable").findLastNode(h);j.insertAfter(g.row)}this.data("treetable").loadRows(j);j.filter("tr").each(function(){e[c(this).data(f.nodeIdAttr)].show()});if(h!=null){h.render().expand()}return this},move:function(h,g){var e,f;f=this.data("treetable").tree[h];e=this.data("treetable").tree[g];this.data("treetable").move(f,e);return this},node:function(e){return this.data("treetable").tree[e]},removeNode:function(f){var e=this.data("treetable").tree[f];if(e){this.data("treetable").removeNode(e)}else{throw new Error("Unknown node '"+f+"'")}return this},reveal:function(f){var e=this.data("treetable").tree[f];if(e){e.reveal()}else{throw new Error("Unknown node '"+f+"'")}return this},sortBranch:function(j,g){var h=this.data("treetable").settings,f,e;g=g||h.column;e=g;if(c.isNumeric(g)){e=function(m,k){var o,n,l;o=function(p){var q=p.row.find("td:eq("+g+")").text();return c.trim(q).toUpperCase()};n=o(m);l=o(k);if(n<l){return -1}if(n>l){return 1}return 0}}this.data("treetable").sortBranch(j,e);return this},unloadBranch:function(e){this.data("treetable").unloadBranch(e);return this}};c.fn.treetable=function(e){if(a[e]){return a[e].apply(this,Array.prototype.slice.call(arguments,1))}else{if(typeof e==="object"||!e){return a.init.apply(this,arguments)}else{return c.error("Method "+e+" does not exist on jQuery.treetable")}}};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=b;this.TreeTable.Tree=d})(jQuery);
/*!
 * Bootstrap v3.3.7 (http://getbootstrap.com)
 * Copyright 2011-2016 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 */
;
/*!
 * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf)
 * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf
 */
;if("undefined"==typeof jQuery){throw new Error("Bootstrap's JavaScript requires jQuery")}+function(a){var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1||b[0]>3){throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4")}}(jQuery),+function(b){function c(g){return this.each(function(){var e=b(this),h=e.data("bs.alert");h||e.data("bs.alert",h=new f(this)),"string"==typeof g&&h[g].call(e)})}var a='[data-dismiss="alert"]',f=function(g){b(g).on("click",a,this.close)};f.VERSION="3.3.7",f.TRANSITION_DURATION=150,f.prototype.close=function(k){function h(){g.detach().trigger("closed.bs.alert").remove()}var l=b(this),j=l.attr("data-target");j||(j=l.attr("href"),j=j&&j.replace(/.*(?=#[^\s]*$)/,""));var g=b("#"===j?[]:j);k&&k.preventDefault(),g.length||(g=l.closest(".alert")),g.trigger(k=b.Event("close.bs.alert")),k.isDefaultPrevented()||(g.removeClass("in"),b.support.transition&&g.hasClass("fade")?g.one("bsTransitionEnd",h).emulateTransitionEnd(f.TRANSITION_DURATION):h())};var d=b.fn.alert;b.fn.alert=c,b.fn.alert.Constructor=f,b.fn.alert.noConflict=function(){return b.fn.alert=d,this},b(document).on("click.bs.alert.data-api",a,f.prototype.close)}(jQuery),+function(d){function h(l){var a=l.attr("data-target");a||(a=l.attr("href"),a=a&&/#[A-Za-z]/.test(a)&&a.replace(/.*(?=#[^\s]*$)/,""));var m=a&&d(a);return m&&m.length?m:l.parent()}function c(a){a&&3===a.which||(d(j).remove(),d(f).each(function(){var m=d(this),l=h(m),e={relatedTarget:this};l.hasClass("open")&&(a&&"click"==a.type&&/input|textarea/i.test(a.target.tagName)&&d.contains(l[0],a.target)||(l.trigger(a=d.Event("hide.bs.dropdown",e)),a.isDefaultPrevented()||(m.attr("aria-expanded","false"),l.removeClass("open").trigger(d.Event("hidden.bs.dropdown",e)))))}))}function k(a){return this.each(function(){var e=d(this),l=e.data("bs.dropdown");l||e.data("bs.dropdown",l=new b(this)),"string"==typeof a&&l[a].call(e)})}var j=".dropdown-backdrop",f='[data-toggle="dropdown"]',b=function(a){d(a).on("click.bs.dropdown",this.toggle)};b.VERSION="3.3.7",b.prototype.toggle=function(q){var p=d(this);if(!p.is(".disabled, :disabled")){var l=h(p),e=l.hasClass("open");if(c(),!e){"ontouchstart" in document.documentElement&&!l.closest(".navbar-nav").length&&d(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(d(this)).on("click",c);var m={relatedTarget:this};if(l.trigger(q=d.Event("show.bs.dropdown",m)),q.isDefaultPrevented()){return}p.trigger("focus").attr("aria-expanded","true"),l.toggleClass("open").trigger(d.Event("shown.bs.dropdown",m))}return !1}},b.prototype.keydown=function(p){if(/(38|40|27|32)/.test(p.which)&&!/input|textarea/i.test(p.target.tagName)){var u=d(this);if(p.preventDefault(),p.stopPropagation(),!u.is(".disabled, :disabled")){var t=h(u),m=t.hasClass("open");if(!m&&27!=p.which||m&&27==p.which){return 27==p.which&&t.find(f).trigger("focus"),u.trigger("click")}var q=" li:not(.disabled):visible a",s=t.find(".dropdown-menu"+q);if(s.length){var e=s.index(p.target);38==p.which&&e>0&&e--,40==p.which&&e<s.length-1&&e++,~e||(e=0),s.eq(e).trigger("focus")}}}};var g=d.fn.dropdown;d.fn.dropdown=k,d.fn.dropdown.Constructor=b,d.fn.dropdown.noConflict=function(){return d.fn.dropdown=g,this},d(document).on("click.bs.dropdown.data-api",c).on("click.bs.dropdown.data-api",".dropdown form",function(a){a.stopPropagation()}).on("click.bs.dropdown.data-api",f,b.prototype.toggle).on("keydown.bs.dropdown.data-api",f,b.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",b.prototype.keydown)}(jQuery),+function(b){function c(f,g){return this.each(function(){var j=b(this),h=j.data("bs.modal"),e=b.extend({},a.DEFAULTS,j.data(),"object"==typeof f&&f);h||j.data("bs.modal",h=new a(this,e)),"string"==typeof f?h[f](g):e.show&&h.show(g)})}var a=function(g,f){this.options=f,this.$body=b(document.body),this.$element=b(g),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,b.proxy(function(){this.$element.trigger("loaded.bs.modal")},this))};a.VERSION="3.3.7",a.TRANSITION_DURATION=300,a.BACKDROP_TRANSITION_DURATION=150,a.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},a.prototype.toggle=function(e){return this.isShown?this.hide():this.show(e)},a.prototype.show=function(f){var h=this,g=b.Event("show.bs.modal",{relatedTarget:f});this.$element.trigger(g),this.isShown||g.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',b.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){h.$element.one("mouseup.dismiss.bs.modal",function(j){b(j.target).is(h.$element)&&(h.ignoreBackdropClick=!0)})}),this.backdrop(function(){var j=b.support.transition&&h.$element.hasClass("fade");h.$element.parent().length||h.$element.appendTo(h.$body),h.$element.show().scrollTop(0),h.adjustDialog(),j&&h.$element[0].offsetWidth,h.$element.addClass("in"),h.enforceFocus();var e=b.Event("shown.bs.modal",{relatedTarget:f});j?h.$dialog.one("bsTransitionEnd",function(){h.$element.trigger("focus").trigger(e)}).emulateTransitionEnd(a.TRANSITION_DURATION):h.$element.trigger("focus").trigger(e)}))},a.prototype.hide=function(f){f&&f.preventDefault(),f=b.Event("hide.bs.modal"),this.$element.trigger(f),this.isShown&&!f.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),b(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),b.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",b.proxy(this.hideModal,this)).emulateTransitionEnd(a.TRANSITION_DURATION):this.hideModal())},a.prototype.enforceFocus=function(){b(document).off("focusin.bs.modal").on("focusin.bs.modal",b.proxy(function(e){document===e.target||this.$element[0]===e.target||this.$element.has(e.target).length||this.$element.trigger("focus")},this))},a.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",b.proxy(function(e){27==e.which&&this.hide()},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal")},a.prototype.resize=function(){this.isShown?b(window).on("resize.bs.modal",b.proxy(this.handleUpdate,this)):b(window).off("resize.bs.modal")},a.prototype.hideModal=function(){var e=this;this.$element.hide(),this.backdrop(function(){e.$body.removeClass("modal-open"),e.resetAdjustments(),e.resetScrollbar(),e.$element.trigger("hidden.bs.modal")})},a.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null},a.prototype.backdrop=function(h){var k=this,j=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var g=b.support.transition&&j;if(this.$backdrop=b(document.createElement("div")).addClass("modal-backdrop "+j).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",b.proxy(function(e){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (e.target===e.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()))},this)),g&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!h){return}g?this.$backdrop.one("bsTransitionEnd",h).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):h()}else{if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var f=function(){k.removeBackdrop(),h&&h()};b.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",f).emulateTransitionEnd(a.BACKDROP_TRANSITION_DURATION):f()}else{h&&h()}}},a.prototype.handleUpdate=function(){this.adjustDialog()},a.prototype.adjustDialog=function(){var e=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&e?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!e?this.scrollbarWidth:""})},a.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""})},a.prototype.checkScrollbar=function(){var f=window.innerWidth;if(!f){var g=document.documentElement.getBoundingClientRect();f=g.right-Math.abs(g.left)}this.bodyIsOverflowing=document.body.clientWidth<f,this.scrollbarWidth=this.measureScrollbar()},a.prototype.setScrollbar=function(){var e=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",e+this.scrollbarWidth)},a.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad)},a.prototype.measureScrollbar=function(){var f=document.createElement("div");f.className="modal-scrollbar-measure",this.$body.append(f);var g=f.offsetWidth-f.clientWidth;return this.$body[0].removeChild(f),g};var d=b.fn.modal;b.fn.modal=c,b.fn.modal.Constructor=a,b.fn.modal.noConflict=function(){return b.fn.modal=d,this},b(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(f){var j=b(this),h=j.attr("href"),g=b(j.attr("data-target")||h&&h.replace(/.*(?=#[^\s]+$)/,"")),e=g.data("bs.modal")?"toggle":b.extend({remote:!/#/.test(h)&&h},g.data(),j.data());j.is("a")&&f.preventDefault(),g.one("show.bs.modal",function(k){k.isDefaultPrevented()||g.one("hidden.bs.modal",function(){j.is(":visible")&&j.trigger("focus")})}),c.call(g,e,this)})}(jQuery),+function(b){function c(h){var g,j=h.attr("data-target")||(g=h.attr("href"))&&g.replace(/.*(?=#[^\s]+$)/,"");return b(j)}function a(g){return this.each(function(){var e=b(this),j=e.data("bs.collapse"),h=b.extend({},f.DEFAULTS,e.data(),"object"==typeof g&&g);!j&&h.toggle&&/show|hide/.test(g)&&(h.toggle=!1),j||e.data("bs.collapse",j=new f(this,h)),"string"==typeof g&&j[g]()})}var f=function(h,g){this.$element=b(h),this.options=b.extend({},f.DEFAULTS,g),this.$trigger=b('[data-toggle="collapse"][href="#'+h.id+'"],[data-toggle="collapse"][data-target="#'+h.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle()};f.VERSION="3.3.7",f.TRANSITION_DURATION=350,f.DEFAULTS={toggle:!0},f.prototype.dimension=function(){var e=this.$element.hasClass("width");return e?"width":"height"},f.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var k,m=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(m&&m.length&&(k=m.data("bs.collapse"),k&&k.transitioning))){var h=b.Event("show.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){m&&m.length&&(a.call(m,"hide"),k||m.data("bs.collapse",null));var g=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[g](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var j=function(){this.$element.removeClass("collapsing").addClass("collapse in")[g](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse")};if(!b.support.transition){return j.call(this)}var l=b.camelCase(["scroll",g].join("-"));this.$element.one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION)[g](this.$element[0][l])}}}},f.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var h=b.Event("hide.bs.collapse");if(this.$element.trigger(h),!h.isDefaultPrevented()){var g=this.dimension();this.$element[g](this.$element[g]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var j=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse")};return b.support.transition?void this.$element[g](0).one("bsTransitionEnd",b.proxy(j,this)).emulateTransitionEnd(f.TRANSITION_DURATION):j.call(this)}}},f.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]()},f.prototype.getParent=function(){return b(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(b.proxy(function(e,h){var g=b(h);this.addAriaAndCollapsedClass(c(g),g)},this)).end()},f.prototype.addAriaAndCollapsedClass=function(h,j){var g=h.hasClass("in");h.attr("aria-expanded",g),j.toggleClass("collapsed",!g).attr("aria-expanded",g)};var d=b.fn.collapse;b.fn.collapse=a,b.fn.collapse.Constructor=f,b.fn.collapse.noConflict=function(){return b.fn.collapse=d,this},b(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(k){var j=b(this);j.attr("data-target")||k.preventDefault();var g=c(j),e=g.data("bs.collapse"),h=e?"toggle":j.data();a.call(g,h)})}(jQuery),+function(a){function b(){var d=document.createElement("bootstrap"),f={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in f){if(void 0!==d.style[c]){return{end:f[c]}}}return !1}a.fn.emulateTransitionEnd=function(d){var c=!1,g=this;a(this).one("bsTransitionEnd",function(){c=!0});var f=function(){c||a(g).trigger(a.support.transition.end)};return setTimeout(f,d),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(c){return a(c.target).is(this)?c.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery);function openRuleDetailsDialog(d){var a=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="false" title="Close">&#x274c;</button>');var b=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="false"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(b);var c=$("#rule-detail-"+d).clone();c.attr("id","");c.children(".panel-heading").append(a);a.css({"float":"right"});a.css({"margin-top":"-=23px"});$("#detail-modal-body").append(c);$("#detail-modal").on("hidden.bs.modal",function(f){$("#detail-modal").remove()});$("#detail-modal").modal();return false}function toggleRuleDisplay(b){var a=b.value;if(b.checked){$(".rule-overview-leaf-"+a).removeClass("rule-result-filtered");$(".rule-detail-"+a).removeClass("rule-result-filtered")}else{$(".rule-overview-leaf-"+a).addClass("rule-result-filtered");$(".rule-detail-"+a).addClass("rule-result-filtered")}stripeTreeTable()}function toggleResultDetails(b){var a=$("#result-details");if(a.is(":visible")){a.hide();$(b).html("Show all result details")}else{a.show();$(b).html("Hide all result details")}return false}function ruleSearchMatches(e,c){if(c.length==0){return true}var b=true;var d=e.children(".keywords").text().toLowerCase();var a;for(a=0;a<c.length;++a){if(d.indexOf(c[a].toLowerCase())<0){b=false;break}}return b}function ruleSearch(){var c=$("#search-input").val();var a=c.split(/[\s,\.;]+/);var b=0;$(".rule-detail").each(function(){var d=$(this).attr("id").substring(12);var e=$("#rule-overview-leaf-"+d);var f=$(this);if(ruleSearchMatches(f,a)){e.removeClass("search-no-match");f.removeClass("search-no-match");++b}else{e.addClass("search-no-match");f.addClass("search-no-match")}});if(!c){$("#search-matches").html("")}else{if(b>0){$("#search-matches").html(b.toString()+" rules match.")}else{$("#search-matches").html("No rules match your search criteria!")}}}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable()});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this)});is_original=true}}function newGroupLine(a,c){var b=24;if(a.length>b){a=a.substring(0,b-1)+"â¦"}return'<tr class="rule-overview-inner-node" data-tt-id="'+c+'"><td colspan="3"><small>'+a+"</small> = <strong>"+c+"</strong></td></tr>"}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(f,d){switch(d){case KeysEnum.SEVERITY:var b=f.children(".rule-severity").text();return[b];case KeysEnum.RESULT:var a=f.children(".rule-result").text();return[a];default:try{var c=JSON.parse(f.attr("data-references"))}catch(e){return["unknown"]}if(!c.hasOwnProperty(d)){return["unknown"]}return c[d]}}function sortGroups(a,b){switch(b){case KeysEnum.SEVERITY:return["high","medium","low"];case KeysEnum.RESULT:return a.sort();default:return a.sort(function(e,d){var f=e.split(/[.()-]/);var g=d.split(/[.()-]/);var c=0;var j=Math.min(f.length,g.length);var h=/^[1-9][0-9]*$/;for(i=0;i<j&&c==0;i++){if(f[i].match(h)==null||f[i].match(h)==null){c=f[i].localeCompare(g[i])}else{c=parseInt(f[i])-parseInt(g[i])}}if(c==0){c=f.length-g.length}return c})}}function groupRulesBy(c){resetTreetable();if(c==KeysEnum.DEFAULT){return}var b={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var j=$(this).attr("data-tt-id");var g=getTargetGroupsList($(this),c);for(i=0;i<g.length;i++){var e=g[i];if(!b.hasOwnProperty(e)){b[e]=[newGroupLine(c,e)]}var h=$(this).clone();h.attr("data-tt-id",j+"copy"+i);h.attr("data-tt-parent-id",e);var f=h.wrap("<div>").parent().html();b[e].push(f)}});$(".treetable").remove();var a=sortGroups(Object.keys(b),c);var d="";for(i=0;i<a.length;i++){d+=b[a[i]].join("\n")}new_table='<table class="treetable table table-bordered"><thead><tr><th>Group</th> <th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody>'+d+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable()}function stripeTreeTable(){var a=$(".rule-overview-leaf:not(.rule-result-filtered)");var b=false;$(a).each(function(){$(this).css("background-color",b?"#F9F9F9":"inherit");b=!b})};</script></head><body><nav class="navbar navbar-default"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</h2><blockquote>with profile <mark>Australian Cyber Security Centre (ACSC) ISM Official</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configuration checks for Red Hat Enterprise Linux 9
that align to the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM)
with the applicability marking of OFFICIAL.

The ISM uses a risk-based approach to cyber security. This profile provides a guide to aligning 
Red Hat Enterprise Linux security controls with the ISM, which can be used to select controls 
specific to an organisation's security posture and risk profile.

A copy of the ISM can be found at the ACSC website:

https://www.cyber.gov.au/ism</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br>

    <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>
</div><div class="description">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation.  The SCAP content is
is available in the <code>scap-security-guide</code> package which is developed at

    <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>.
<br><br>
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a <em>catalog, not a
checklist</em>, and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF <em>Profiles</em>, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP). The DISA STIG, which provides required
settings for US Department of Defense systems, is one example of a baseline
created from this guidance.
</div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.
</div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td></tr><tr><th>Benchmark URL</th><td>#scap_org.open-scap_comp_ssg-rhel9-xccdf.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-9</td></tr><tr><th>Benchmark version</th><td>0.1.66</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr><tr><th>Started at</th><td>2023-07-18T12:27:24+10:00</td></tr><tr><th>Finished at</th><td>2023-07-18T12:28:10+10:00</td></tr><tr><th>Performed by</th><td>quickcluster</td></tr><tr><th>Test system</th><td>cpe:/a:redhat:openscap:1.3.7</td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:9 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span>
                            Â 127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span>
                            Â 10.0.88.46</li><li class="list-group-item"><span class="label label-info">IPv6</span>
                            Â 0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span>
                            Â 2620:52:0:58:f816:3eff:fe08:c2fe</li><li class="list-group-item"><span class="label label-info">IPv6</span>
                            Â fe80:0:0:0:f816:3eff:fe08:c2fe</li><li class="list-group-item"><span class="label label-default">MAC</span>
                            Â 00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span>
                            Â FA:16:3E:08:C2:FE</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 82 rules!</strong>
                    Please review rule results and consider applying remediation.
                </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were $not_ignored_rules_count rules taken into account."><div class="progress-bar progress-bar-success" style="width: 42.0689655172414%">61 passed
                    </div><div class="progress-bar progress-bar-danger" style="width: 56.551724137931%">82 failed
                    </div><div class="progress-bar progress-bar-warning" style="width: 1.379310344827589%">2 other
                    </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 82 total failed rules."><div class="progress-bar progress-bar-success" style="width: 0%">0 other
                </div><div class="progress-bar progress-bar-info" style="width: 4.878048780487805%">4 low
                </div><div class="progress-bar progress-bar-warning" style="width: 87.8048780487805%">72 medium
                </div><div class="progress-bar progress-bar-danger" style="width: 7.317073170731707%">6 high
                </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">62.740814</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 62.740814%">62.74%</div><div class="progress-bar progress-bar-danger" style="width: 37.259186%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass">pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed">fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational">informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail">fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error">error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown">unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked">notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable">notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p>
                    Group rules by:
                    <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="ANSSI">ANSSI</option><option value="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</option><option value="https://public.cyber.mil/stigs/cci/">https://public.cyber.mil/stigs/cci/</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os</option><option value="https://www.cisecurity.org/benchmark/red_hat_linux/">https://www.cisecurity.org/benchmark/red_hat_linux/</option><option value="https://www.cisecurity.org/controls/">https://www.cisecurity.org/controls/</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu</option><option value="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat</option><option value="https://www.isaca.org/resources/cobit">https://www.isaca.org/resources/cobit</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-9" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</strong>Â <span class="badge">82x fail</span>Â <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong>Â <span class="badge">62x fail</span>Â <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong>Â <span class="badge">9x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System and Software Integrity</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Software Integrity Checking</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rpm_verification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px"><strong>Verify Integrity with RPM</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-overview-leaf-idm46361753259424" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(c)","SI-7","SI-7(1)","SI-7(6)","AU-9(3)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753259424" onclick="return openRuleDetailsDialog('idm46361753259424')">Verify File Hashes with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-overview-leaf-idm46361753255456" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(c)","SI-7","SI-7(1)","SI-7(6)","AU-9(3)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5","PR.IP-1","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001494","CCI-001496"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098","SRG-OS-000278-GPOS-00108"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.15"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5","6","9"],"FBI CJIS":["5.10.4.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 5.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.3.7.3","4.3.4.3.2","4.3.4.3.3","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","BAI03.05","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.04","DSS05.07","DSS06.02","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.5.1","A.12.6.2","A.12.7.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-003-8 R6","CIP-007-3 R4","CIP-007-3 R4.1","CIP-007-3 R4.2"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753255456" onclick="return openRuleDetailsDialog('idm46361753255456')">Verify and Correct Ownership with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753251488" data-tt-parent-id="xccdf_org.ssgproject.content_group_rpm_verification" data-references='{"NIST SP 800-171":["3.3.8","3.4.1"],"NIST SP 800-53":["CM-6(d)","CM-6(c)","SI-7","SI-7(1)","SI-7(6)","AU-9(3)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5","PR.IP-1","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001493","CCI-001494","CCI-001495","CCI-001496"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000256-GPOS-00097","SRG-OS-000257-GPOS-00098","SRG-OS-000258-GPOS-00099","SRG-OS-000278-GPOS-00108"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.15"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5","6","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 5.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.3.7.3","4.3.4.3.2","4.3.4.3.3","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","BAI03.05","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.04","DSS05.07","DSS06.02","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.5.1","A.12.6.2","A.12.7.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-003-8 R6","CIP-007-3 R4","CIP-007-3 R4.1","CIP-007-3 R4.2"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753251488" onclick="return openRuleDetailsDialog('idm46361753251488')">Verify and Correct File Permissions with RPM</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px"><strong>Verify Integrity with AIDE</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753247504" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"":["1034","1288","1341","1417"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/cci/":["CCI-002696","CCI-002699","CCI-001744"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.3.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361753247504" onclick="return openRuleDetailsDialog('idm46361753247504')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Federal Information Processing Standard (FIPS)</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_fips_mode" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753213824" data-tt-parent-id="xccdf_org.ssgproject.content_group_fips" data-references='{"":["1446","SRG-OS-000120-VMM-000600","SRG-OS-000478-VMM-001980","SRG-OS-000396-VMM-001590"],"NIST SP 800-53":["CM-3(6)","SC-12(2)","SC-12(3)","IA-7","SC-13","CM-6(a)","SC-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000068","CCI-000803","CCI-002450"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000478-GPOS-00223","SRG-OS-000396-GPOS-00176"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_COP.1(1)","FCS_COP.1(2)","FCS_COP.1(3)","FCS_COP.1(4)","FCS_CKM.1","FCS_CKM.2","FCS_TLSC_EXT.1","FCS_RBG_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361753213824" onclick="return openRuleDetailsDialog('idm46361753213824')">Enable FIPS Mode</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_crypto" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>System Cryptographic Policies</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753198848" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"":["1446"],"NIST SP 800-53":["AC-17(a)","AC-17(2)","CM-6(a)","MA-4(6)","SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000396-GPOS-00176","SRG-OS-000393-GPOS-00173","SRG-OS-000394-GPOS-00174"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.10"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1","CIP-007-3 R7.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_COP.1(1)","FCS_COP.1(2)","FCS_COP.1(3)","FCS_COP.1(4)","FCS_CKM.1","FCS_CKM.2","FCS_TLSC_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361753198848" onclick="return openRuleDetailsDialog('idm46361753198848')">Configure System Cryptography Policy</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="rule-overview-leaf-idm46361753180512" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["AC-17(a)","AC-17(2)","CM-6(a)","MA-4(6)","SC-13"],"https://public.cyber.mil/stigs/cci/":["CCI-001453"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000250-GPOS-00093"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.14"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1","CIP-007-3 R7.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_SSH_EXT.1","FCS_SSHS_EXT.1","FCS_SSHC_EXT.1"],"PCI-DSS Requirement":["Req-2.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361753180512" onclick="return openRuleDetailsDialog('idm46361753180512')">Configure SSH to use System Crypto Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Sudo</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sudo_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-overview-leaf-idm46361753037232" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["1382","1384","1386"],"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R19)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.3.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-10.2.1.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753037232" onclick="return openRuleDetailsDialog('idm46361753037232')">Install sudo Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-overview-leaf-idm46361753022496" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753022496" onclick="return openRuleDetailsDialog('idm46361753022496')">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753018496" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"":["SRG-OS-000373-VMM-001470","SRG-OS-000373-VMM-001480","SRG-OS-000373-VMM-001490"],"NIST SP 800-53":["IA-11","CM-6(a)"],"ANSSI":["BP28(R5)","BP28(R59)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156","SRG-OS-000373-GPOS-00157","SRG-OS-000373-GPOS-00158"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753018496" onclick="return openRuleDetailsDialog('idm46361753018496')">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_require_authentication" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361753014528" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"NIST SP 800-53":["IA-11","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002038"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000373-GPOS-00156"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.3.4"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361753014528" onclick="return openRuleDetailsDialog('idm46361753014528')">Ensure Users Re-Authenticate for Privilege Escalation - sudo</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System Tooling / Utilities</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rear_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752980784" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm46361752980784" onclick="return openRuleDetailsDialog('idm46361752980784')">Install rear Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong>Â <span class="badge">2x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752945632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"ANSSI":["BP28(R8)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752945632" onclick="return openRuleDetailsDialog('idm46361752945632')">Configure dnf-automatic to Install Only Security Updates</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm46361752941632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.2"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752941632" onclick="return openRuleDetailsDialog('idm46361752941632')">Ensure gpgcheck Enabled In Main dnf Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752937632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-11(a)","CM-11(b)","CM-6(a)","CM-5(3)","SA-12","SA-12(10)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752937632" onclick="return openRuleDetailsDialog('idm46361752937632')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-overview-leaf-idm46361752933632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752933632" onclick="return openRuleDetailsDialog('idm46361752933632')">Ensure gpgcheck Enabled for All dnf Package Repositories</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-overview-leaf-idm46361752929632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)"],"ANSSI":["BP28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.2.1"],"https://www.cisecurity.org/controls/":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-003-8 R6","CIP-007-3 R4","CIP-007-3 R4.1","CIP-007-3 R4.2","CIP-007-3 R5.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752929632" onclick="return openRuleDetailsDialog('idm46361752929632')">Ensure Red Hat GPG Key Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-overview-leaf-idm46361752925632" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-53":["SI-2(5)","SI-2(c)","CM-6(a)"],"ANSSI":["BP28(R08)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.RA-1","PR.IP-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001227"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.9"],"https://www.cisecurity.org/controls/":["18","20","4"],"FBI CJIS":["5.10.4.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3","4.2.3.12","4.2.3.7","4.2.3.9"],"https://www.isaca.org/resources/cobit":["APO12.01","APO12.02","APO12.03","APO12.04","BAI03.10","DSS05.01","DSS05.02"],"ISO 27001-2013":["A.12.6.1","A.14.2.3","A.16.1.3","A.18.2.2","A.18.2.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752925632" onclick="return openRuleDetailsDialog('idm46361752925632')">Ensure Software Patches Installed</a>
                ()
            </td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Account and Access Control</strong>Â <span class="badge">10x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Configuring PAM</strong>Â <span class="badge">6x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px"><strong>Set Lockouts for Failed Password Attempts</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752843360" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.2","5.5.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752843360" onclick="return openRuleDetailsDialog('idm46361752843360')">Lock Accounts After Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752838496" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-53":["CM-6(a)","AC-7(b)","IA-5(c)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238","CCI-000044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752838496" onclick="return openRuleDetailsDialog('idm46361752838496')">Configure the root Account for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752829680" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000021-VMM-000050"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752829680" onclick="return openRuleDetailsDialog('idm46361752829680')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752822064" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000329-VMM-001180"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(b)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000044","CCI-002236","CCI-002237","CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.2"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752822064" onclick="return openRuleDetailsDialog('idm46361752822064')">Set Lockout Time for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px"><strong>Set Password Quality Requirements</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px"><strong>Set Password Quality Requirements with pam_pwquality</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752793456" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000072-VMM-000390","SRG-OS-000078-VMM-000450"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.5.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm46361752793456" onclick="return openRuleDetailsDialog('idm46361752793456')">Ensure PAM Enforces Password Requirements - Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_display_login_attempts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752871760" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-53":["AC-9","AC-9(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000052"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.2"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-10.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752871760" onclick="return openRuleDetailsDialog('idm46361752871760')">Ensure PAM Displays Last Logon/Access Notification</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Physical Console Access<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-physical");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_emergency_target_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_emergency_target_auth" id="rule-overview-leaf-idm46361752747952" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2","AC-3","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752747952" onclick="return openRuleDetailsDialog('idm46361752747952')">Require Authentication for Emergency Systemd Target</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-overview-leaf-idm46361752743952" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2","AC-3","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752743952" onclick="return openRuleDetailsDialog('idm46361752743952')">Require Authentication for Single User Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Restricting Password-Based Login</strong>Â <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Password Expiration Parameters</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752689296" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"ANSSI":["BP28(R18)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000076-GPOS-00044"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.1.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752689296" onclick="return openRuleDetailsDialog('idm46361752689296')">Set Password Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752684448" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000198"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000075-GPOS-00043"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.1.2"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.3.9"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752684448" onclick="return openRuleDetailsDialog('idm46361752684448')">Set Password Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" id="rule-overview-leaf-idm46361752671456" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.1.3"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.3.9"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752671456" onclick="return openRuleDetailsDialog('idm46361752671456')">Set Password Warning Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Verify Proper Storage and Existence of Password
Hashes</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" id="rule-overview-leaf-idm46361752666576" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"":["1410"],"NIST SP 800-171":["3.5.10"],"NIST SP 800-53":["IA-5(h)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.2.1"],"https://www.cisecurity.org/controls/":["1","12","15","16","5"],"FBI CJIS":["5.5.2"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752666576" onclick="return openRuleDetailsDialog('idm46361752666576')">Verify All Account Password Hashes are Shadowed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752651744" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["IA-5(1)(a)","IA-5(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752651744" onclick="return openRuleDetailsDialog('idm46361752651744')">Prevent Login to Accounts With Empty Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-overview-leaf-idm46361752634272" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["IA-2","AC-6(5)","IA-4(b)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.2.9"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"PCI-DSS Requirement":["Req-8.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752634272" onclick="return openRuleDetailsDialog('idm46361752634272')">Verify Only Root Has UID 0</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="rule-overview-leaf-idm46361752622816" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"":["1491"],"NIST SP 800-53":["AC-6","CM-6(a)","CM-6(b)","CM-6.1(iv)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.6.2"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","18","3","5","7","8"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS06.03"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.6.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752622816" onclick="return openRuleDetailsDialog('idm46361752622816')">Ensure that System Accounts Do Not Run a Shell Upon Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_authselect" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752918272" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts" data-references='{"NIST SP 800-53":["AC-3"],"ANSSI":["BP28(R5)"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.4.1"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1","FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361752918272" onclick="return openRuleDetailsDialog('idm46361752918272')">Enable authselect</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>System Accounting with auditd</strong>Â <span class="badge">27x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure auditd Rules for Comprehensive Auditing</strong>Â <span class="badge">24x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_dac_actions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Events that Modify the System's Discretionary Access Controls</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752435232" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"":["SRG-OS-000458-VMM-001810","SRG-OS-000474-VMM-001940"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000064-GPOS-00033","SRG-OS-000466-GPOS-00210","SRG-OS-000458-GPOS-00203"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.9"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752435232" onclick="return openRuleDetailsDialog('idm46361752435232')">Record Events that Modify the System's Discretionary Access Controls - chmod</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752431232" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_dac_actions" data-references='{"":["SRG-OS-000458-VMM-001810","SRG-OS-000474-VMM-001940"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000064-GPOS-00033","SRG-OS-000466-GPOS-00210","SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.9"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752431232" onclick="return openRuleDetailsDialog('idm46361752431232')">Record Events that Modify the System's Discretionary Access Controls - chown</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Execution Attempts to Run SELinux Privileged Commands</strong>Â <span class="badge">6x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752386592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000468-GPOS-00212","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.15"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752386592" onclick="return openRuleDetailsDialog('idm46361752386592')">Record Any Attempts to Run chcon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752382592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000392-GPOS-00172","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752382592" onclick="return openRuleDetailsDialog('idm46361752382592')">Record Any Attempts to Run restorecon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752378592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.2","CIP-004-6 R2.2.3","CIP-007-3 R.1.3","CIP-007-3 R5","CIP-007-3 R5.1.1","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752378592" onclick="return openRuleDetailsDialog('idm46361752378592')">Record Any Attempts to Run semanage</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752374592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752374592" onclick="return openRuleDetailsDialog('idm46361752374592')">Record Any Attempts to Run setfiles</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752370592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752370592" onclick="return openRuleDetailsDialog('idm46361752370592')">Record Any Attempts to Run setsebool</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752366592" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" data-references='{"":["SRG-OS-000463-VMM-001850"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000172"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752366592" onclick="return openRuleDetailsDialog('idm46361752366592')">Record Any Attempts to Run seunshare</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_file_modification" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_file_modification" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Unauthorized Access Attempts Events to Files (unsuccessful)</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752285856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_file_modification" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.2.4","Req-10.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752285856" onclick="return openRuleDetailsDialog('idm46361752285856')">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Information on Kernel Modules Loading and Unloading</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752202864" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.2.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752202864" onclick="return openRuleDetailsDialog('idm46361752202864')">Ensure auditd Collects Information on Kernel Module Loading and Unloading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Attempts to Alter Logon and Logout Events</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752190704" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752190704" onclick="return openRuleDetailsDialog('idm46361752190704')">Record Attempts to Alter Logon and Logout Events</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752186720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"":["SRG-OS-000473-VMM-001930","SRG-OS-000470-VMM-001900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.12"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752186720" onclick="return openRuleDetailsDialog('idm46361752186720')">Record Attempts to Alter Logon and Logout Events - faillock</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752182720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"":["SRG-OS-000473-VMM-001930","SRG-OS-000470-VMM-001900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000473-GPOS-00218","SRG-OS-000470-GPOS-00214"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.12"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752182720" onclick="return openRuleDetailsDialog('idm46361752182720')">Record Attempts to Alter Logon and Logout Events - lastlog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752178720" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_login_events" data-references='{"":["SRG-OS-000473-VMM-001930","SRG-OS-000470-VMM-001900"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000172","CCI-002884","CCI-000126"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000392-GPOS-00172","SRG-OS-000470-GPOS-00214","SRG-OS-000473-GPOS-00218"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752178720" onclick="return openRuleDetailsDialog('idm46361752178720')">Record Attempts to Alter Logon and Logout Events - tallylog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_privileged_commands" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Record Information on the Use of Privileged Commands</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752163904" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_privileged_commands" data-references='{"":["0582","0584","05885","0586","0846","0957","SRG-OS-000471-VMM-001910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-2","DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","DE.DP-4","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4","RS.CO-2"],"https://public.cyber.mil/stigs/cci/":["CCI-002234"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000327-GPOS-00127"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.6"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 3.9","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.5","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.3.4.5.9","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO08.04","APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.05","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.1","A.16.1.2","A.16.1.3","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.3","A.6.2.1","A.6.2.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.2","CIP-004-6 R2.2.3","CIP-007-3 R.1.3","CIP-007-3 R5","CIP-007-3 R5.1.1","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3"],"PCI-DSS Requirement":["Req-10.2.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752163904" onclick="return openRuleDetailsDialog('idm46361752163904')">Ensure auditd Collects Information on the Use of Privileged Commands</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_time_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_audit_time_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules"><td colspan="3" style="padding-left: 76px"><strong>Records Events that Modify Date and Time Information</strong>Â <span class="badge">5x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752091856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752091856" onclick="return openRuleDetailsDialog('idm46361752091856')">Record attempts to alter time through adjtimex</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752087856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752087856" onclick="return openRuleDetailsDialog('idm46361752087856')">Record Attempts to Alter Time Through clock_settime</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752083856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752083856" onclick="return openRuleDetailsDialog('idm46361752083856')">Record attempts to alter time through settimeofday</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752079856" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752079856" onclick="return openRuleDetailsDialog('idm46361752079856')">Record Attempts to Alter Time Through stime</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752075872" data-tt-parent-id="xccdf_org.ssgproject.content_group_audit_time_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001487","CCI-000169"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.4"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.4.2.b"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361752075872" onclick="return openRuleDetailsDialog('idm46361752075872')">Record Attempts to Alter the localtime File</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752504752" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.5"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.5.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752504752" onclick="return openRuleDetailsDialog('idm46361752504752')">Record Events that Modify the System's Network Environment</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_session_events" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752500736" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AU-2(d)","AU-12(c)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.11"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752500736" onclick="return openRuleDetailsDialog('idm46361752500736')">Record Attempts to Alter Process and Session Initiation Information</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752488656" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["SRG-OS-000462-VMM-001840","SRG-OS-000471-VMM-001910"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(7)(b)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-1","PR.AC-3","PR.AC-4","PR.AC-6","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000135","CCI-000169","CCI-000172","CCI-002884"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000004-GPOS-00004","SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000062-GPOS-00031","SRG-OS-000304-GPOS-00121","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000470-GPOS-00214","SRG-OS-000471-GPOS-00215","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000304-GPOS-00121","SRG-OS-000466-GPOS-00210","SRG-OS-000476-GPOS-00221"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.1.3.1"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.2.2","4.3.3.3.9","4.3.3.5.1","4.3.3.5.2","4.3.3.5.8","4.3.3.6.6","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS06.03","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.2","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.1.5","Req-10.2.2","Req-10.2.5.b"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752488656" onclick="return openRuleDetailsDialog('idm46361752488656')">Ensure auditd Collects System Administrator Actions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752481952" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-1","PR.AC-3","PR.AC-4","PR.AC-6","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000018","CCI-000130","CCI-000172","CCI-001403","CCI-002130"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000004-GPOS-00004","SRG-OS-000037-GPOS-00015","SRG-OS-000042-GPOS-00020","SRG-OS-000239-GPOS-00089","SRG-OS-000241-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000392-GPOS-00172","SRG-OS-000462-GPOS-00206","SRG-OS-000471-GPOS-00215","SRG-OS-000476-GPOS-00221"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.10","4.3.2.6.7","4.3.3.2.2","4.3.3.3.9","4.3.3.5.1","4.3.3.5.2","4.3.3.5.8","4.3.3.6.6","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS06.03","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.2","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.2","CIP-004-6 R2.2.3","CIP-007-3 R.1.3","CIP-007-3 R5","CIP-007-3 R5.1.1","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752481952" onclick="return openRuleDetailsDialog('idm46361752481952')">Record Events that Modify User/Group Information</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>Configure auditd Data Retention</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-overview-leaf-idm46361752036624" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-11","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001576"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-004-6 R2.2.3","CIP-004-6 R3.3","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3","CIP-007-3 R6.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752036624" onclick="return openRuleDetailsDialog('idm46361752036624')">Configure auditd flush priority</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_freq" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_freq" id="rule-overview-leaf-idm46361752012816" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000051-GPOS-00024"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752012816" onclick="return openRuleDetailsDialog('idm46361752012816')">Set number of records to cause an explicit flush to audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_local_events" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_local_events" id="rule-overview-leaf-idm46361752008848" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000062-GPOS-00031","SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752008848" onclick="return openRuleDetailsDialog('idm46361752008848')">Include Local Events in Audit Logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_log_format" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_log_format" id="rule-overview-leaf-idm46361752004880" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6","AU-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000255-GPOS-00096","SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752004880" onclick="return openRuleDetailsDialog('idm46361752004880')">Resolve information before writing to audit logs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_name_format" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361752000912" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6","AU-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001851"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000039-GPOS-00017","SRG-OS-000342-GPOS-00133","SRG-OS-000479-GPOS-00224"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361752000912" onclick="return openRuleDetailsDialog('idm46361752000912')">Set hostname as computer node name in audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_write_logs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_write_logs" id="rule-overview-leaf-idm46361751994240" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_STG.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751994240" onclick="return openRuleDetailsDialog('idm46361751994240')">Write Audit Logs to the Disk</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_policy_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_policy_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>System Accounting with auditd</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_access_failed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751990272" data-tt-parent-id="xccdf_org.ssgproject.content_group_policy_rules" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-53":["AU-2(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219","SRG-OS-000475-GPOS-00220","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209","SRG-OS-000461-GPOS-00205"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751990272" onclick="return openRuleDetailsDialog('idm46361751990272')">Configure auditing of unsuccessful file accesses</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_access_success" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751980896" data-tt-parent-id="xccdf_org.ssgproject.content_group_policy_rules" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-53":["AU-2(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000458-GPOS-00203","SRG-OS-000474-GPOS-00219","SRG-OS-000475-GPOS-00220","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209","SRG-OS-000461-GPOS-00205"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751980896" onclick="return openRuleDetailsDialog('idm46361751980896')">Configure auditing of successful file accesses</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Configure Syslog</strong>Â <span class="badge">4x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Ensure Proper Configuration of Log Files</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-overview-leaf-idm46361751554064" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.15.2.1","A.15.2.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751554064" onclick="return openRuleDetailsDialog('idm46361751554064')">Ensure cron Is Logging To Rsyslog</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-overview-leaf-idm46361751541920" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751541920" onclick="return openRuleDetailsDialog('idm46361751541920')">Ensure Log Files Are Owned By Appropriate Group</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-overview-leaf-idm46361751537920" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R46)","BP28(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751537920" onclick="return openRuleDetailsDialog('idm46361751537920')">Ensure Log Files Are Owned By Appropriate User</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751533936" data-tt-parent-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.3"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-10.5.1","Req-10.5.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751533936" onclick="return openRuleDetailsDialog('idm46361751533936')">Ensure System Log Files Have Correct Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px">Configure rsyslogd to Accept Remote Messages If Acting as a Log Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-overview-leaf-idm46361751503424" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.IP-1","PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000366","CCI-000368","CCI-001812","CCI-001813","CCI-001814"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.7"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.3.9","4.3.3.4","4.3.3.5.8","4.3.4.3.2","4.3.4.3.3","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.5.1","A.12.6.2","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751503424" onclick="return openRuleDetailsDialog('idm46361751503424')">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Rsyslog Logs Sent To Remote Host</strong>Â <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751499456" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405","SRG-OS-000032-VMM-000130"],"NIST SP 800-53":["CM-6(a)","AU-4(1)","AU-9(2)"],"ANSSI":["BP28(R7)","NT28(R43)","NT12(R5)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001348","CCI-000136","CCI-001851"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000480-GPOS-00227","SRG-OS-000342-GPOS-00133"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.6"],"https://www.cisecurity.org/controls/":["1","13","14","15","16","2","3","5","6"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 7.1","SR 7.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.17.2.1"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.2","CIP-004-6 R3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751499456" onclick="return openRuleDetailsDialog('idm46361751499456')">Ensure Logs Sent To Remote Host</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751495472" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"NIST SP 800-53":["AU-9(3)","CM-6(a)"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1","FTP_ITC_EXT.1.1","FIA_X509_EXT.1.1","FMT_SMF_EXT.1.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751495472" onclick="return openRuleDetailsDialog('idm46361751495472')">Configure TLS for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751491504" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_TLSC_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751491504" onclick="return openRuleDetailsDialog('idm46361751491504')">Configure CA certificate for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-overview-leaf-idm46361751562048" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000051-GPOS-00024","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.1"],"https://www.cisecurity.org/controls/":["1","14","15","16","3","5","6"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751562048" onclick="return openRuleDetailsDialog('idm46361751562048')">Ensure rsyslog is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-overview-leaf-idm46361751558048" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"NIST SP 800-53":["CM-6(a)","AU-4(1)"],"ANSSI":["BP28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.DS-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312","CCI-001557","CCI-001851","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["4.2.1.2"],"https://www.cisecurity.org/controls/":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2","SR 7.1","SR 7.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isaca.org/resources/cobit":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO13.01","BAI03.05","BAI04.04","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2","A.17.2.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751558048" onclick="return openRuleDetailsDialog('idm46361751558048')">Enable rsyslog Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Network Configuration and Firewalls</strong>Â <span class="badge">4x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px"><strong>firewalld</strong>Â <span class="badge">3x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_firewalld_activation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_firewalld_activation" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Inspect and Activate Default firewalld Rules</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_firewalld_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751474128" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"NIST SP 800-53":["CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-002314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115","SRG-OS-000298-GPOS-00116","SRG-OS-000480-GPOS-00227","SRG-OS-000480-GPOS-00232"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751474128" onclick="return openRuleDetailsDialog('idm46361751474128')">Install firewalld Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751470128" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"NIST SP 800-171":["3.1.3","3.4.7"],"NIST SP 800-53":["AC-4","CM-7(b)","CA-3(5)","SC-7(21)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000382","CCI-002314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115","SRG-OS-000480-GPOS-00227","SRG-OS-000480-GPOS-00231","SRG-OS-000480-GPOS-00232"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.4.1.2"],"https://www.cisecurity.org/controls/":["11","3","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4","CIP-003-8 R5","CIP-004-6 R3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751470128" onclick="return openRuleDetailsDialog('idm46361751470128')">Verify firewalld Enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ruleset_modifications" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px"><strong>Strengthen the Default Ruleset</strong>Â <span class="badge">1x fail</span>Â <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_firewalld_ports" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-overview-leaf-idm46361751466128" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"":["1416","SRG-OS-000096-VMM-000490","SRG-OS-000480-VMM-002000"],"NIST SP 800-53":["AC-4","CM-7(b)","CA-3(5)","SC-7(21)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000382","CCI-002314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050","SRG-OS-000297-GPOS-00115"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.4.2.5"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751466128" onclick="return openRuleDetailsDialog('idm46361751466128')">Configure the Firewalld Ports</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751460080" data-tt-parent-id="xccdf_org.ssgproject.content_group_ruleset_modifications" data-references='{"":["1416","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.3","3.4.7","3.13.6"],"NIST SP 800-53":["CA-3(5)","CM-7(b)","SC-7(23)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.4.2.1"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"FBI CJIS":["5.10.1"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-1.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751460080" onclick="return openRuleDetailsDialog('idm46361751460080')">Set Default firewalld Zone for Incoming Packets</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Wireless Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-wireless");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-wireless"><td colspan="3" style="padding-left: 76px">Disable Wireless Through Software Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_wireless_software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-overview-leaf-idm46361751265264" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"":["1315","1319"],"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-18(a)","AC-18(3)","CM-7(a)","CM-7(b)","CM-6(a)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000085","CCI-002418","CCI-002421","CCI-001443","CCI-001444"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000299-GPOS-00117","SRG-OS-000300-GPOS-00118","SRG-OS-000424-GPOS-00188","SRG-OS-000481-GPOS-000481"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["3.1.2"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"],"PCI-DSS Requirement":["Req-1.3.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751265264" onclick="return openRuleDetailsDialog('idm46361751265264')">Deactivate Wireless Network Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_nmcli_permissions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751484800" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"":["0418","1055","1402"],"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-18(4)","CM-6(a)"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751484800" onclick="return openRuleDetailsDialog('idm46361751484800')">Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-overview-leaf-idm46361751480800" data-tt-parent-id="xccdf_org.ssgproject.content_group_network" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","CM-7(2)","MA-3"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.DP-5","ID.AM-1","PR.IP-1","PR.MA-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","11","14","3","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6","SR 7.8"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.3.7","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.4"],"https://www.isaca.org/resources/cobit":["APO11.06","APO12.06","BAI03.10","BAI09.01","BAI09.02","BAI09.03","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.05","DSS04.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.1.2","A.11.2.4","A.11.2.5","A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.16.1.6","A.8.1.1","A.8.1.2","A.9.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361751480800" onclick="return openRuleDetailsDialog('idm46361751480800')">Ensure System is Not Acting as a Network Sniffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong>Â <span class="badge">8x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Verify Permissions on Important Files and
Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-tt-parent-id="xccdf_org.ssgproject.content_group_files"><td colspan="3" style="padding-left: 76px">Verify File Permissions Within Some Important Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_permissions_within_important_dirs");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" id="rule-overview-leaf-idm46361751112512" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-5(6)","CM-5(6).1","CM-6(a)","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751112512" onclick="return openRuleDetailsDialog('idm46361751112512')">Verify that System Executables Have Root Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" id="rule-overview-leaf-idm46361751108512" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-5(6)","CM-5(6).1","CM-6(a)","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751108512" onclick="return openRuleDetailsDialog('idm46361751108512')">Verify that Shared Library Files Have Root Ownership</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" id="rule-overview-leaf-idm46361751101808" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-5(6)","CM-5(6).1","CM-6(a)","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751101808" onclick="return openRuleDetailsDialog('idm46361751101808')">Verify that System Executables Have Restrictive Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" id="rule-overview-leaf-idm46361751097808" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-references='{"NIST SP 800-53":["CM-6(a)","CM-5(6)","CM-5(6).1","AC-6(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001499"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000259-GPOS-00100"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361751097808" onclick="return openRuleDetailsDialog('idm46361751097808')">Verify that Shared Library Files Have Restrictive Permissions</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-overview-leaf-idm46361751259856" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001090"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000138-GPOS-00069"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.12"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751259856" onclick="return openRuleDetailsDialog('idm46361751259856')">Verify that All World-Writable Directories Have Sticky Bits Set</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-overview-leaf-idm46361751248384" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.14"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751248384" onclick="return openRuleDetailsDialog('idm46361751248384')">Ensure All SGID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-overview-leaf-idm46361751244384" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R37)","BP28(R38)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.13"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751244384" onclick="return openRuleDetailsDialog('idm46361751244384')">Ensure All SUID Executables Are Authorized</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-overview-leaf-idm46361751240384" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R40)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["6.1.9"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751240384" onclick="return openRuleDetailsDialog('idm46361751240384')">Ensure No World-Writable Files Exist</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Partition Mount Options</strong>Â <span class="badge">1x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-overview-leaf-idm46361751054384" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.8.2"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751054384" onclick="return openRuleDetailsDialog('idm46361751054384')">Add nodev Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361751050384" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.8.3"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751050384" onclick="return openRuleDetailsDialog('idm46361751050384')">Add noexec Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-overview-leaf-idm46361751046384" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001764"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.1.8.4"],"https://www.cisecurity.org/controls/":["11","13","14","3","8","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361751046384" onclick="return openRuleDetailsDialog('idm46361751046384')">Add nosuid Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Programs from Dangerous Execution Patterns</strong>Â <span class="badge">7x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px"><strong>Enable ExecShield</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-overview-leaf-idm46361750895808" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-39","CM-6(a)"],"ANSSI":["BP28(R9)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002530"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00192"],"https://www.cisecurity.org/controls/":["12","15","8"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361750895808" onclick="return openRuleDetailsDialog('idm46361750895808')">Enable ExecShield via sysctl</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750891808" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-53":["SC-30","SC-30(2)","SC-30(5)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-002824","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000433-GPOS-00192","SRG-OS-000480-GPOS-00227"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-002-5 R1.1","CIP-002-5 R1.2","CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 4.1","CIP-004-6 4.2","CIP-004-6 R2.2.3","CIP-004-6 R2.2.4","CIP-004-6 R2.3","CIP-004-6 R4","CIP-005-6 R1","CIP-005-6 R1.1","CIP-005-6 R1.2","CIP-007-3 R3","CIP-007-3 R3.1","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3","CIP-007-3 R8.4","CIP-009-6 R.1.1","CIP-009-6 R4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361750891808" onclick="return openRuleDetailsDialog('idm46361750891808')">Restrict Exposed Kernel Pointer Addresses Access</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750887808" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["SC-30","SC-30(2)","CM-6(a)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-002824"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00193","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.5.3"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-002-5 R1.1","CIP-002-5 R1.2","CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 4.1","CIP-004-6 4.2","CIP-004-6 R2.2.3","CIP-004-6 R2.2.4","CIP-004-6 R2.3","CIP-004-6 R4","CIP-005-6 R1","CIP-005-6 R1.1","CIP-005-6 R1.2","CIP-007-3 R3","CIP-007-3 R3.1","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.1.3","CIP-007-3 R5.2.1","CIP-007-3 R5.2.3","CIP-007-3 R8.4","CIP-009-6 R.1.1","CIP-009-6 R4"],"PCI-DSS Requirement":["Req-2.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm46361750887808" onclick="return openRuleDetailsDialog('idm46361750887808')">Enable Randomized Layout of Virtual Address Space</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750956416" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-171":["3.1.5"],"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["BP28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001090","CCI-001314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000138-GPOS-00069"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750956416" onclick="return openRuleDetailsDialog('idm46361750956416')">Restrict Access to Kernel Message Buffer</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750952416" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["CM-6"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000366-GPOS-00153"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750952416" onclick="return openRuleDetailsDialog('idm46361750952416')">Disable Kernel Image Loading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750929488" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["AC-6","SC-7(10)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750929488" onclick="return openRuleDetailsDialog('idm46361750929488')">Disable Access to Network bpf() Syscall From Unprivileged Processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750922736" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["SC-7(10)"],"ANSSI":["BP28(R25)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067","SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750922736" onclick="return openRuleDetailsDialog('idm46361750922736')">Restrict usage of ptrace to descendant processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750918736" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["CM-6","SC-7(10)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750918736" onclick="return openRuleDetailsDialog('idm46361750918736')">Harden the operation of the BPF just-in-time compiler</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">SELinux<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_selinux");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux-booleans" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux-booleans" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux"><td colspan="3" style="padding-left: 57px">SELinux - Booleans<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_selinux-booleans");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" id="rule-overview-leaf-idm46361750830800" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux-booleans" data-references='{"":["0582","0584","05885","0586","0846","0957"],"NIST SP 800-171":["80424-5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750830800" onclick="return openRuleDetailsDialog('idm46361750830800')">Enable the auditadm_exec_content SELinux Boolean</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm46361750846576" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.1.3"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.2","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-004-6 R3.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3","CIP-007-3 R6.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750846576" onclick="return openRuleDetailsDialog('idm46361750846576')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm46361750841776" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"ANSSI":["BP28(R4)","BP28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001084","CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199","SRG-OS-000134-GPOS-00068"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["1.6.1.5"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.2","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-004-6 R3.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3","CIP-007-3 R6.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750841776" onclick="return openRuleDetailsDialog('idm46361750841776')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><td colspan="3" style="padding-left: 19px"><strong>Services</strong>Â <span class="badge">20x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_avahi" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_avahi" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Avahi Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_avahi");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disable_avahi_group" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disable_avahi_group" data-tt-parent-id="xccdf_org.ssgproject.content_group_avahi"><td colspan="3" style="padding-left: 57px">Disable Avahi Server if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disable_avahi_group");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" id="rule-overview-leaf-idm46361750221344" data-tt-parent-id="xccdf_org.ssgproject.content_group_disable_avahi_group" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.2"],"https://www.cisecurity.org/controls/":["11","14","3","9"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361750221344" onclick="return openRuleDetailsDialog('idm46361750221344')">Disable Avahi Server Software</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fapolicyd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fapolicyd" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Application Whitelisting Daemon</strong>Â <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750096816" data-tt-parent-id="xccdf_org.ssgproject.content_group_fapolicyd" data-references='{"NIST SP 800-53":["CM-6(a)","SI-4(22)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764","CCI-001774"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000370-GPOS-00155","SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00230"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750096816" onclick="return openRuleDetailsDialog('idm46361750096816')">Install fapolicyd Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361750092816" data-tt-parent-id="xccdf_org.ssgproject.content_group_fapolicyd" data-references='{"NIST SP 800-53":["CM-6(a)","SI-4(22)"],"https://public.cyber.mil/stigs/cci/":["CCI-001764","CCI-001774"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000370-GPOS-00155","SRG-OS-000368-GPOS-00154","SRG-OS-000480-GPOS-00230"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361750092816" onclick="return openRuleDetailsDialog('idm46361750092816')">Enable the File Access Policy Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_chrony_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-overview-leaf-idm46361749995776" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000355-GPOS-00143"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.1.1"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"],"PCI-DSS Requirement":["Req-10.6.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749995776" onclick="return openRuleDetailsDialog('idm46361749995776')">The Chrony package is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_enabled" id="rule-overview-leaf-idm46361749989744" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000355-GPOS-00143"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749989744" onclick="return openRuleDetailsDialog('idm46361749989744')">The Chronyd service is enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-overview-leaf-idm46361749967520" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"":["0988","1405"],"NIST SP 800-53":["CM-6(a)","AU-8(1)(a)"],"ANSSI":["BP28(R43)"],"https://public.cyber.mil/stigs/cci/":["CCI-000160","CCI-001891"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.1.2"],"PCI-DSS Requirement":["Req-10.4.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749967520" onclick="return openRuleDetailsDialog('idm46361749967520')">A remote time server for Chrony is configured</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Obsolete Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_obsolete");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Xinetd<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_inetd_and_xinetd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_xinetd_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-overview-leaf-idm46361749954000" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000305"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749954000" onclick="return openRuleDetailsDialog('idm46361749954000')">Uninstall xinetd Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled" id="rule-overview-leaf-idm46361749950016" data-tt-parent-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-references='{"NIST SP 800-171":["3.4.7"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000305"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749950016" onclick="return openRuleDetailsDialog('idm46361749950016')">Disable xinetd Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">NIS<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nis");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypbind_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-overview-leaf-idm46361749946032" data-tt-parent-id="xccdf_org.ssgproject.content_group_nis" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749946032" onclick="return openRuleDetailsDialog('idm46361749946032')">Remove NIS Client</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Rlogin, Rsh, and Rexec<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_r_services");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-overview-leaf-idm46361749936640" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749936640" onclick="return openRuleDetailsDialog('idm46361749936640')">Uninstall rsh-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-overview-leaf-idm46361749932640" data-tt-parent-id="xccdf_org.ssgproject.content_group_r_services" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749932640" onclick="return openRuleDetailsDialog('idm46361749932640')">Uninstall rsh Package</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Chat/Messaging Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_talk");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-overview-leaf-idm46361749917888" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749917888" onclick="return openRuleDetailsDialog('idm46361749917888')">Uninstall talk-server Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-overview-leaf-idm46361749913888" data-tt-parent-id="xccdf_org.ssgproject.content_group_talk" data-references='{"ANSSI":["BP28(R1)"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749913888" onclick="return openRuleDetailsDialog('idm46361749913888')">Uninstall talk Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="xccdf_org.ssgproject.content_group_obsolete"><td colspan="3" style="padding-left: 57px">Telnet<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_telnet");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-overview-leaf-idm46361749909920" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000381"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.13"],"https://www.cisecurity.org/controls/":["11","12","14","15","3","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"],"PCI-DSS Requirement":["Req-2.2.4"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749909920" onclick="return openRuleDetailsDialog('idm46361749909920')">Uninstall telnet-server Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-overview-leaf-idm46361749905920" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-171":["3.1.13"],"ANSSI":["BP28(R1)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.3.1"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"ISO 27001-2013":["A.8.2.3","A.13.1.1","A.13.2.1","A.13.2.3","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749905920" onclick="return openRuleDetailsDialog('idm46361749905920')">Remove telnet Clients</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled" id="rule-overview-leaf-idm46361749901936" data-tt-parent-id="xccdf_org.ssgproject.content_group_telnet" data-references='{"NIST SP 800-171":["3.1.13","3.4.7"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","IA-5(1)(c)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-3","PR.AC-6","PR.AC-7","PR.IP-1","PR.PT-3","PR.PT-4"],"https://www.cisecurity.org/controls/":["1","11","12","14","15","16","3","5","8","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.18.1.4","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749901936" onclick="return openRuleDetailsDialog('idm46361749901936')">Disable telnet Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_proxy" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_proxy" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Proxy Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_proxy");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_squid" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_squid" data-tt-parent-id="xccdf_org.ssgproject.content_group_proxy"><td colspan="3" style="padding-left: 57px">Disable Squid if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_squid");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_squid_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_squid_removed" id="rule-overview-leaf-idm46361749884480" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_squid" data-references='{"https://www.cisecurity.org/benchmark/red_hat_linux/":["2.2.11"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749884480" onclick="return openRuleDetailsDialog('idm46361749884480')">Uninstall squid Package</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_squid_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_squid_disabled" id="rule-overview-leaf-idm46361749880512" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_squid" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm46361749880512" onclick="return openRuleDetailsDialog('idm46361749880512')">Disable Squid</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_routing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_routing" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Routing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_routing");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_quagga" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_quagga" data-tt-parent-id="xccdf_org.ssgproject.content_group_routing"><td colspan="3" style="padding-left: 57px">Disable Quagga if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_quagga");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_quagga_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_quagga_removed" id="rule-overview-leaf-idm46361749871776" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_quagga" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["12","15","8"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS05.02"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749871776" onclick="return openRuleDetailsDialog('idm46361749871776')">Uninstall quagga Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SNMP Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Disable SNMP Server if Possible<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_disabling_snmp_service");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_snmpd_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_snmpd_disabled" id="rule-overview-leaf-idm46361749855584" data-tt-parent-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" data-references='{"":["1311","SRG-OS-000480-VMM-002000"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749855584" onclick="return openRuleDetailsDialog('idm46361749855584')">Disable snmpd Service</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp_configure_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp"><td colspan="3" style="padding-left: 57px">Configure SNMP Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_snmp_configure_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" id="rule-overview-leaf-idm46361749849552" data-tt-parent-id="xccdf_org.ssgproject.content_group_snmp_configure_server" data-references='{"":["1311"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749849552" onclick="return openRuleDetailsDialog('idm46361749849552')">Configure SNMP Service to Use Only SNMPv3 or Newer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>SSH Server</strong>Â <span class="badge">15x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px"><strong>Configure OpenSSH Server if Necessary</strong>Â <span class="badge">15x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_host_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749804288" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00229"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.8"],"https://www.cisecurity.org/controls/":["11","12","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749804288" onclick="return openRuleDetailsDialog('idm46361749804288')">Disable Host-Based Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749799504" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["1416"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-6(b)","CM-7(a)","CM-7(b)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749799504" onclick="return openRuleDetailsDialog('idm46361749799504')">Enable SSH Server firewalld Firewall Exception</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-overview-leaf-idm46361749794688" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0487","1449","1506","SRG-OS-000033-VMM-000140"],"NIST SP 800-171":["3.1.13","3.5.4"],"NIST SP 800-53":["CM-6(a)","AC-17(a)","AC-17(2)","IA-5(1)(c)","SC-13","MA-4(6)"],"ANSSI":["NT007(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-3","PR.AC-6","PR.AC-7","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000197","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000074-GPOS-00042","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","15","16","5","8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.6","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO13.01","DSS01.04","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ISO 27001-2013":["A.11.2.6","A.13.1.1","A.13.2.1","A.14.1.3","A.18.1.4","A.6.2.1","A.6.2.2","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R4.2","CIP-007-3 R5.1","CIP-007-3 R7.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749794688" onclick="return openRuleDetailsDialog('idm46361749794688')">Allow Only SSH Protocol 2</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749787168" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["NT007(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.DS-5","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000766"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000106-GPOS-00053","SRG-OS-000480-GPOS-00229","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.9"],"https://www.cisecurity.org/controls/":["11","12","13","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["APO01.06","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749787168" onclick="return openRuleDetailsDialog('idm46361749787168')">Disable SSH Access via Empty Passwords</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749782352" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0418","1055","1402","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-17(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000364-GPOS-00151","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1","FCS_SSH_EXT.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749782352" onclick="return openRuleDetailsDialog('idm46361749782352')">Disable GSSAPI Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749777552" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000318","CCI-000368","CCI-001812","CCI-001813","CCI-001814","CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000364-GPOS-00151","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTP_ITC_EXT.1","FCS_SSH_EXT.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749777552" onclick="return openRuleDetailsDialog('idm46361749777552')">Disable Kerberos Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749770688" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000107-VMM-000530"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.11"],"https://www.cisecurity.org/controls/":["11","12","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749770688" onclick="return openRuleDetailsDialog('idm46361749770688')">Disable SSH Support for .rhosts Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749763200" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6(2)","AC-17(a)","IA-2","IA-2(5)","CM-7(a)","CM-7(b)","CM-6(a)"],"ANSSI":["BP28(R19)","NT007(R21)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000770"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000109-GPOS-00056","SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.7"],"https://www.cisecurity.org/controls/":["1","11","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.06","DSS06.10"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.2.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2","CIP-007-3 R5.2","CIP-007-3 R5.3.1","CIP-007-3 R5.3.2","CIP-007-3 R5.3.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749763200" onclick="return openRuleDetailsDialog('idm46361749763200')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749753632" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_UAU.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749753632" onclick="return openRuleDetailsDialog('idm46361749753632')">Disable SSH Support for User Known Hosts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749748816" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-53":["CM-6(b)"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.12"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749748816" onclick="return openRuleDetailsDialog('idm46361749748816')">Disable X11 Forwarding</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749744000" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00229"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.10"],"https://www.cisecurity.org/controls/":["11","3","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 7.6"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.4.3.2","4.3.4.3.3"],"https://www.isaca.org/resources/cobit":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749744000" onclick="return openRuleDetailsDialog('idm46361749744000')">Do Not Allow SSH Environment Options</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749731728" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6","AC-17(a)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749731728" onclick="return openRuleDetailsDialog('idm46361749731728')">Enable Use of Strict Mode Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749726928" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000023-VMM-000060","SRG-OS-000024-VMM-000070"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(c)","AC-17(a)","CM-6(a)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000048","CCI-000050","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000023-GPOS-00006","SRG-OS-000228-GPOS-00088"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.15"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FTA_TAB.1"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749726928" onclick="return openRuleDetailsDialog('idm46361749726928')">Enable SSH Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749715280" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-53":["AC-9","AC-9(1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000052"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/controls/":["1","12","15","16"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isaca.org/resources/cobit":["DSS05.04","DSS05.10","DSS06.10"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749715280" onclick="return openRuleDetailsDialog('idm46361749715280')">Enable SSH Print Last Log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749705104" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"NIST SP 800-53":["AC-17(a)","CM-6(a)"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749705104" onclick="return openRuleDetailsDialog('idm46361749705104')">Set LogLevel to INFO</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749697600" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["0421","0422","0431","0974","1173","1401","1504","1505","1546","1557","1558","1559","1560","1561"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.16"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm46361749697600" onclick="return openRuleDetailsDialog('idm46361749697600')">Set SSH authentication attempt limit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration" id="rule-overview-leaf-idm46361749686576" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm46361749686576" onclick="return openRuleDetailsDialog('idm46361749686576')">Distribute the SSH Server configuration to multiple files in a config directory.</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-overview-leaf-idm46361749826528" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh" data-references='{"NIST SP 800-171":["3.1.13","3.13.10"],"NIST SP 800-53":["AC-17(a)","CM-6(a)","AC-6(1)"],"ANSSI":["BP28(R36)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/benchmark/red_hat_linux/":["5.2.2"],"https://www.cisecurity.org/controls/":["12","13","14","15","16","18","3","5"],"https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu":["SR 2.1","SR 5.2"],"https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat":["4.3.3.7.3"],"https://www.isaca.org/resources/cobit":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx":["CIP-003-8 R5.1.1","CIP-003-8 R5.3","CIP-004-6 R2.3","CIP-007-3 R2.1","CIP-007-3 R2.2","CIP-007-3 R2.3","CIP-007-3 R5.1","CIP-007-3 R5.1.1","CIP-007-3 R5.1.2"],"PCI-DSS Requirement":["Req-2.2.6"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749826528" onclick="return openRuleDetailsDialog('idm46361749826528')">Verify Permissions on SSH Server Private *_key Key Files</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_usbguard" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_usbguard" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>USBGuard daemon</strong>Â <span class="badge">3x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_usbguard_installed" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749660176" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"":["1418"],"NIST SP 800-53":["CM-8(3)","IA-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001958"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000378-GPOS-00163"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749660176" onclick="return openRuleDetailsDialog('idm46361749660176')">Install usbguard Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749656176" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"":["1418"],"NIST SP 800-53":["CM-8(3)(a)","IA-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000416","CCI-001958"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000378-GPOS-00163"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749656176" onclick="return openRuleDetailsDialog('idm46361749656176')">Enable the USBGuard Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm46361749646800" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"NIST SP 800-53":["CM-8(3)","IA-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000114-GPOS-00059"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm46361749646800" onclick="return openRuleDetailsDialog('idm46361749646800')">Authorize Human Interface Devices and USB hubs in USBGuard daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_hashes" id="rule-detail-idm46361753259424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify File Hashes with RPMxccdf_org.ssgproject.content_rule_rpm_verify_hashes highCCE-90841-8 </div><div class="panel-heading"><h3 class="panel-title">Verify File Hashes with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_hashes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rpm_verify_hashes:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:45+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90841-8">CCE-90841-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Without cryptographic integrity protections, system
executables and files can be altered by unauthorized users without
detection.
The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security.
To verify that the cryptographic hash of system files and commands matches vendor
values, run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<pre>$ rpm -Va --noconfig | grep '^..5'</pre>
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change. If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
<pre>$ rpm -qf <i>FILENAME</i></pre>
The package can be reinstalled from a dnf repository using the command:
<pre>$ sudo dnf reinstall <i>PACKAGENAME</i></pre>
Alternatively, the package can be reinstalled from trusted media using the command:
<pre>$ sudo rpm -Uvh <i>PACKAGENAME</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">verify file md5 hashes</span>Â 
        <span class="label label-default">oval:ssg-test_files_fail_md5_hash:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="rpm verify of all files">oval:ssg-object_files_fail_md5_hash:obj:1</abbr></strong> of type
                <strong>rpmverifyfile_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>^/(bin|sbin|lib|lib64|usr)/.+$</td><td>oval:ssg-state_files_fail_md5_hash:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_ownership" id="rule-detail-idm46361753255456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify and Correct Ownership with RPMxccdf_org.ssgproject.content_rule_rpm_verify_ownership highCCE-90842-6 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct Ownership with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rpm_verify_ownership:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:52+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90842-6">CCE-90842-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001494</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001496</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000256-GPOS-00097</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000257-GPOS-00098</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000278-GPOS-00108</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.15</a></p></td></tr><tr><td>Description</td><td><div class="description">The RPM package management system can check file ownership
permissions of installed software packages, including many that are
important to system security. After locating a file with incorrect
permissions, which can be found with
<pre>rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'</pre>
run the following command to determine which package owns it:
<pre>$ rpm -qf <i>FILENAME</i></pre>
Next, run the following command to reset its permissions to
the correct values:
<pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ownership of binaries and configuration files that is incorrect
could allow an unauthorized user to gain privileges that they should
not have. The ownership set by the vendor should be maintained. Any
deviations from this baseline should be investigated.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                Profiles may require that specific files be owned by root while the default owner defined
by the vendor is different.
Such files will be reported as a finding and need to be evaluated according to your policy
and deployment environment.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">user ownership of all files matches local rpm database</span>Â 
        <span class="label label-default">oval:ssg-test_verify_all_rpms_user_ownership:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="rpm verify of all files">oval:ssg-object_files_fail_user_ownership:obj:1</abbr></strong> of type
                <strong>rpmverifyfile_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>oval:ssg-state_files_fail_user_ownership:ste:1</td></tr></tbody></table><h4><span class="label label-primary">group ownership of all files matches local rpm database</span>Â 
        <span class="label label-default">oval:ssg-test_verify_all_rpms_group_ownership:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="rpm verify of all files">oval:ssg-object_files_fail_group_ownership:obj:1</abbr></strong> of type
                <strong>rpmverifyfile_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>.*</td><td>oval:ssg-state_files_fail_group_ownership:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rpm_verify_permissions" id="rule-detail-idm46361753251488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify and Correct File Permissions with RPMxccdf_org.ssgproject.content_rule_rpm_verify_permissions highCCE-90840-0 </div><div class="panel-heading"><h3 class="panel-title">Verify and Correct File Permissions with RPM</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rpm_verify_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rpm_verify_permissions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90840-0">CCE-90840-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001493</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001494</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001495</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001496</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000256-GPOS-00097</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000257-GPOS-00098</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000258-GPOS-00099</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000278-GPOS-00108</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.15</a></p></td></tr><tr><td>Description</td><td><div class="description">The RPM package management system can check file access permissions
of installed software packages, including many that are important
to system security.
Verify that the file permissions of system files
and commands match vendor values. Check the file permissions
with the following command:
<pre>$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'</pre>
Output indicates files that do not match vendor defaults.
After locating a file with incorrect permissions,
run the following command to determine which package owns it:
<pre>$ rpm -qf <i>FILENAME</i></pre>
<br>
Next, run the following command to reset its permissions to
the correct values:
<pre>$ sudo rpm --setperms <i>PACKAGENAME</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Permissions on system binaries and configuration files that are too generous
could allow an unauthorized user to gain privileges that they should not have.
The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                Profiles may require that specific files have stricter file permissions than defined by the
vendor.
Such files will be reported as a finding and need to be evaluated according to your policy
and deployment environment.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187208352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362187208352"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>high</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>
# Declare array to hold set of RPM packages we need to correct permissions for
declare -A SETPERMS_RPM_DICT

# Create a list of files on the system having permissions different from what
# is expected by the RPM database
readarray -t FILES_WITH_INCORRECT_PERMS &lt; &lt;(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')

for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
do
        # NOTE: some files maybe controlled by more then one package
        readarray -t RPM_PACKAGES &lt; &lt;(rpm -qf "${FILE_PATH}")
        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
        do
                # Use an associative array to store packages as it's keys, not having to care about duplicates.
                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
        done
done

# For each of the RPM packages left in the list -- reset its permissions to the
# correct values
for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
do
	rpm --restore "${RPM_PACKAGE}"
done
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187204368" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362187204368"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>high</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Read list of files with incorrect permissions
  command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
    --nocaps --nolinkto --nouser --nogroup
  register: files_with_incorrect_permissions
  failed_when: files_with_incorrect_permissions.rc &gt; 1
  changed_when: false
  check_mode: false
  tags:
  - CCE-90840-0
  - CJIS-5.10.4.1
  - NIST-800-171-3.3.8
  - NIST-800-171-3.4.1
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(c)
  - NIST-800-53-CM-6(d)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - NIST-800-53-SI-7(6)
  - PCI-DSS-Req-11.5
  - high_complexity
  - high_severity
  - medium_disruption
  - no_reboot_needed
  - restrict_strategy
  - rpm_verify_permissions

- name: Create list of packages
  command: rpm -qf "{{ item }}"
  with_items: '{{ files_with_incorrect_permissions.stdout_lines | map(''regex_findall'',
    ''^[.]+[M]+.* (\/.*)'', ''\1'') | map(''join'') | select(''match'', ''(\/.*)'')
    | list | unique }}'
  register: list_of_packages
  changed_when: false
  check_mode: false
  when: (files_with_incorrect_permissions.stdout_lines | length &gt; 0)
  tags:
  - CCE-90840-0
  - CJIS-5.10.4.1
  - NIST-800-171-3.3.8
  - NIST-800-171-3.4.1
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(c)
  - NIST-800-53-CM-6(d)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - NIST-800-53-SI-7(6)
  - PCI-DSS-Req-11.5
  - high_complexity
  - high_severity
  - medium_disruption
  - no_reboot_needed
  - restrict_strategy
  - rpm_verify_permissions

- name: Correct file permissions with RPM
  command: rpm --setperms '{{ item }}'
  with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
    | unique }}'
  when: (files_with_incorrect_permissions.stdout_lines | length &gt; 0)
  tags:
  - CCE-90840-0
  - CJIS-5.10.4.1
  - NIST-800-171-3.3.8
  - NIST-800-171-3.4.1
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-6(c)
  - NIST-800-53-CM-6(d)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - NIST-800-53-SI-7(6)
  - PCI-DSS-Req-11.5
  - high_complexity
  - high_severity
  - medium_disruption
  - no_reboot_needed
  - restrict_strategy
  - rpm_verify_permissions
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">mode of all files matches local rpm database</span>Â 
        <span class="label label-default">oval:ssg-test_verify_all_rpms_mode:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Epoch</th><th>Version</th><th>Release</th><th>Arch</th><th>Filepath</th><th>Extended name</th><th>Size differs</th><th>Mode differs</th><th>Md5 differs</th><th>Device differs</th><th>Link mismatch</th><th>Ownership differs</th><th>Group differs</th><th>Mtime differs</th><th>Capabilities differ</th><th>Configuration file</th><th>Documentation file</th><th>Ghost file</th><th>License file</th><th>Readme file</th></tr></thead><tbody><tr><td>grub2-efi-x64</td><td>1</td><td>2.06</td><td>61.el9</td><td>x86_64</td><td>/boot/grub2/fonts/unicode.pf2</td><td>grub2-efi-x64-1:2.06-61.el9.x86_64</td><td>pass</td><td>fail</td><td>not performed</td><td>pass</td><td>pass</td><td>pass</td><td>pass</td><td>fail</td><td>pass</td><td role="num">false</td><td role="num">false</td><td role="num">false</td><td role="num">false</td><td role="num">false</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm46361753247504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-90843-4 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_aide_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90843-4">CCE-90843-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI02.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002699</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001744</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1034</a>, <a href="">1288</a>, <a href="">1341</a>, <a href="">1417</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>aide</code> package can be installed with the following command:
<pre>
$ sudo dnf install aide</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The AIDE package must be installed if it is to be available for integrity checking.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187136208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362187136208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    dnf install -y "aide"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362187133424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362187133424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
  package:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90843-4
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_aide_installed
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362193591024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362193591024"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide

class install_aide {
  package { 'aide':
    ensure =&gt; 'installed',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362193588880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362193588880"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
package --add=aide
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362193586896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362193586896"><pre><code>
[[packages]]
name = "aide"
version = "*"
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_aide_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>aide</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_enable_fips_mode" id="rule-detail-idm46361753213824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-88742-2 </div><div class="panel-heading"><h3 class="panel-title">Enable FIPS Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_fips_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_fips_mode:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-88742-2">CCE-88742-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000068</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000803</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002450</a>, <a href="">1446</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(1)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(2)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(3)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(4)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.2</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_RBG_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</a>, <a href="">SRG-OS-000120-VMM-000600</a>, <a href="">SRG-OS-000478-VMM-001980</a>, <a href="">SRG-OS-000396-VMM-001590</a></p></td></tr><tr><td>Description</td><td><div class="description">To enable FIPS mode, run the following command:
<pre>fips-mode-setup --enable</pre>
<br>
The <code>fips-mode-setup</code> command will configure the system in
FIPS mode by automatically configuring the following:
<ul><li>Setting the kernel FIPS mode flag (<code>/proc/sys/crypto/fips_enabled</code>) to <code>1</code></li><li>Creating <code>/etc/system-fips</code></li><li>Setting the system crypto policy in <code>/etc/crypto-policies/config</code> to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr></code></li><li>Loading the Dracut <code>fips</code> module</li></ul></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at 
<a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search">https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search</a>.
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186664912" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362186664912"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

var_system_crypto_policy='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>'


fips-mode-setup --enable

stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2&gt;&amp;1 &gt; /dev/null)
rc=$?

if test "$rc" = 127; then
	echo "$stderr_of_call" &gt;&amp;2
	echo "Make sure that the script is installed on the remediated system." &gt;&amp;2
	echo "See output of the 'dnf provides update-crypto-policies' command" &gt;&amp;2
	echo "to see what package to (re)install" &gt;&amp;2

	false  # end with an error code
elif test "$rc" != 0; then
	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
	false  # end with an error code
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/etc/system-fips exists</span>Â 
        <span class="label label-default">oval:ssg-test_etc_system_fips:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_system_fips:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/system-fips</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter crypto.fips_enabled set to 1</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_crypto_fips_enabled:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>crypto.fips_enabled</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">add_dracutmodules contains fips</span>Â 
        <span class="label label-default">oval:ssg-test_enable_dracut_fips_module:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_enable_dracut_fips_module:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dracut.conf.d/40-fips.conf</td><td>^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/config</span>Â 
        <span class="label label-default">oval:ssg-test_configure_crypto_policy:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/config</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/state/current</span>Â 
        <span class="label label-default">oval:ssg-test_configure_crypto_policy_current:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/state/current</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">Check if update-crypto-policies has been run</span>Â 
        <span class="label label-default">oval:ssg-test_crypto_policies_updated:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_crypto_policies_config_file_timestamp:var:1</td><td>1683104181</td></tr></tbody></table><h4><span class="label label-primary">Check if /etc/crypto-policies/back-ends/nss.config exists</span>Â 
        <span class="label label-default">oval:ssg-test_crypto_policy_nss_config:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/crypto-policies/back-ends/nss.config</td><td>symbolic link</td><td>0</td><td>0</td><td>42</td><td><code>rwxrwxrwxÂ </code></td></tr></tbody></table><h4><span class="label label-primary">tests if var_system_crypto_policy is set to FIPS</span>Â 
        <span class="label label-default">oval:ssg-test_system_crypto_policy_value:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_system_crypto_policy:var:1</td><td>FIPS</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="rule-detail-idm46361753198848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-83450-7 </div><div class="panel-heading"><h3 class="panel-title">Configure System Cryptography Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83450-7">CCE-83450-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="">1446</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(1)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(2)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(3)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(4)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.2</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000393-GPOS-00173</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000394-GPOS-00174</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.10</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system cryptography policy to use ciphers only from the <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr></code>
policy, run the following command:
<pre>$ sudo update-crypto-policies --set <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr></pre>
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <code>/etc/crypto-policies/back-ends</code> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See <b><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b>
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186516272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362186516272"><pre><code>
var_system_crypto_policy='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>'


stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2&gt;&amp;1 &gt; /dev/null)
rc=$?

if test "$rc" = 127; then
	echo "$stderr_of_call" &gt;&amp;2
	echo "Make sure that the script is installed on the remediated system." &gt;&amp;2
	echo "See output of the 'dnf provides update-crypto-policies' command" &gt;&amp;2
	echo "to see what package to (re)install" &gt;&amp;2

	false  # end with an error code
elif test "$rc" != 0; then
	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
	false  # end with an error code
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186513216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362186513216"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
  set_fact:
    var_system_crypto_policy: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
  tags:
    - always

- name: Configure System Cryptography Policy
  lineinfile:
    path: /etc/crypto-policies/config
    regexp: ^(?!#)(\S+)$
    line: '{{ var_system_crypto_policy }}'
    create: true
  tags:
  - CCE-83450-7
  - NIST-800-53-AC-17(2)
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-MA-4(6)
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_crypto_policy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - restrict_strategy

- name: Verify that Crypto Policy is Set (runtime)
  command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }}
  tags:
  - CCE-83450-7
  - NIST-800-53-AC-17(2)
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-MA-4(6)
  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_crypto_policy
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362186509280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362186509280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
        - name: configure-crypto-policy.service
          enabled: true
          contents: |
            [Unit]
            Before=kubelet.service
            [Service]
            Type=oneshot
            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
            RemainAfterExit=yes
            [Install]
            WantedBy=multi-user.target
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/config</span>Â 
        <span class="label label-default">oval:ssg-test_configure_crypto_policy:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/config</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/state/current</span>Â 
        <span class="label label-default">oval:ssg-test_configure_crypto_policy_current:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/state/current</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">Check if update-crypto-policies has been run</span>Â 
        <span class="label label-default">oval:ssg-test_crypto_policies_updated:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_crypto_policies_config_file_timestamp:var:1</td><td>1683104181</td></tr></tbody></table><h4><span class="label label-primary">Check if /etc/crypto-policies/back-ends/nss.config exists</span>Â 
        <span class="label label-default">oval:ssg-test_crypto_policy_nss_config:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/crypto-policies/back-ends/nss.config</td><td>symbolic link</td><td>0</td><td>0</td><td>42</td><td><code>rwxrwxrwxÂ </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="rule-detail-idm46361753180512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-83445-7 </div><div class="panel-heading"><h3 class="panel-title">Configure SSH to use System Crypto Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_ssh_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83445-7">CCE-83445-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-001453</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHS_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHC_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.14</a></p></td></tr><tr><td>Description</td><td><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the <code>CRYPTO_POLICY</code> variable is either commented or not set at all
in the <code>/etc/sysconfig/sshd</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that the SSH configuration mandates usage of system-wide crypto policies.</span>Â 
        <span class="label label-default">oval:ssg-test_configure_ssh_crypto_policy:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_configure_ssh_crypto_policy:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysconfig/sshd</td><td>^\s*(?i)CRYPTO_POLICY\s*=.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-detail-idm46361753037232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-83523-1 </div><div class="panel-heading"><h3 class="panel-title">Install sudo Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sudo_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sudo_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83523-1">CCE-83523-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="">1382</a>, <a href="">1384</a>, <a href="">1386</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>sudo</code> package can be installed with the following command:
<pre>
$ sudo dnf install sudo</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>sudo</code> is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sudo is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_sudo_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sudo</td><td>x86_64</td><td>(none)</td><td>9.el9</td><td>1.9.5p2</td><td>0:1.9.5p2-9.el9</td><td>199e2f91fd431d51</td><td>sudo-0:1.9.5p2-9.el9.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="rule-detail-idm46361753022496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate mediumCCE-83544-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_no_authenticate:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83544-7">CCE-83544-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
<code>!authenticate</code> option does not exist in <code>/etc/sudoers</code> configuration file or
any sudo configuration snippets in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
<br><br>
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers.d</span>Â 
        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" id="rule-detail-idm46361753018496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd mediumCCE-83536-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_remove_nopasswd:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83536-3">CCE-83536-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</a>, <a href="">SRG-OS-000373-VMM-001470</a>, <a href="">SRG-OS-000373-VMM-001480</a>, <a href="">SRG-OS-000373-VMM-001490</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOPASSWD</code> tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the <code>NOPASSWD</code> tag does not exist in
<code>/etc/sudoers</code> configuration file or any sudo configuration snippets
in <code>/etc/sudoers.d/</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
<br><br>
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184347136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362184347136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>
for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "NOPASSWD" matches to preserve user data
      sed -i "s/^${entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"

    /usr/sbin/visudo -cf $f &amp;&gt; /dev/null || echo "Fail to validate $f with visudo"
  fi
done
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184344528" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184344528"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Find /etc/sudoers.d/ files
  find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - CCE-83536-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_nopasswd

- name: Remove lines containing NOPASSWD from sudoers files
  replace:
    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
    replace: '# \g&lt;1&gt;'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - CCE-83536-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_remove_nopasswd
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">NOPASSWD does not exist /etc/sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist in /etc/sudoers.d</span>Â 
        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers_d:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers.d/90-cloud-init-users</td><td>quickcluster ALL=(ALL) NOPASSWD: ALL</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sudo_require_authentication" id="rule-detail-idm46361753014528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Users Re-Authenticate for Privilege Escalation - sudoxccdf_org.ssgproject.content_rule_sudo_require_authentication mediumCCE-83543-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Users Re-Authenticate for Privilege Escalation - sudo</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sudo_require_authentication</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sudo_require_authentication:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83543-9">CCE-83543-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002038</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">The sudo <code>NOPASSWD</code> and <code>!authenticate</code> option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
<code>NOPASSWD</code> and/or <code>!authenticate</code> do not exist in
<code>/etc/sudoers</code> configuration file or any sudo configuration snippets
in <code>/etc/sudoers.d/</code>."</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
<br><br>
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184299984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362184299984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>
for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "NOPASSWD" matches to preserve user data
      sed -i "s/^${entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"

    /usr/sbin/visudo -cf $f &amp;&gt; /dev/null || echo "Fail to validate $f with visudo"
  fi
done

for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "!authenticate" matches to preserve user data
      sed -i "s/^${entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"

    /usr/sbin/visudo -cf $f &amp;&gt; /dev/null || echo "Fail to validate $f with visudo"
  fi
done
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184295920" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184295920"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Find /etc/sudoers.d/ files
  find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - CCE-83543-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

- name: Remove lines containing NOPASSWD from sudoers files
  replace:
    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
    replace: '# \g&lt;1&gt;'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - CCE-83543-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

- name: Find /etc/sudoers.d/ files
  find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - CCE-83543-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

- name: Remove lines containing !authenticate from sudoers files
  replace:
    regexp: (^(?!#).*[\s]+\!authenticate.*$)
    replace: '# \g&lt;1&gt;'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - CCE-83543-9
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">!authenticate does not exist in /etc/sudoers.d</span>Â 
        <span class="label label-default">oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers.d</td><td>^.*$</td><td>^(?!#).*[\s]+\!authenticate.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist /etc/sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nopasswd_etc_sudoers:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sudoers</td><td>^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">NOPASSWD does not exist in /etc/sudoers.d</span>Â 
        <span class="label label-default">oval:ssg-test_nopasswd_etc_sudoers_d:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/sudoers.d/90-cloud-init-users</td><td>quickcluster ALL=(ALL) NOPASSWD: ALL</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_rear_installed" id="rule-detail-idm46361752980784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install rear Packagexccdf_org.ssgproject.content_rule_package_rear_installed mediumCCE-83503-3 </div><div class="panel-heading"><h3 class="panel-title">Install rear Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rear_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rear_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83503-3">CCE-83503-3</abbr></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rear</code> package can be installed with the following command:
<pre>
$ sudo dnf install rear</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>rear</code> contains the Relax-and-Recover (ReaR) utility. ReaR produces a bootable
image of a system and restores from backup using this image.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184092736" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362184092736"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease ) || ( grep -q aarch64 /proc/sys/kernel/osrelease ) || ( grep -q s390x /proc/sys/kernel/osrelease ) ) ); then

if ! rpm -q --quiet "rear" ; then
    dnf install -y "rear"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184090176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184090176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
  package:
    name: rear
    state: present
  when: not ( ( ( ansible_architecture == "aarch64" and ansible_distribution == "OracleLinux"
    and ansible_distribution_version is version("9.0", "&gt;=") ) or ( ansible_architecture
    == "aarch64" and ansible_distribution == "RedHat" and ansible_distribution_version
    is version("9.0", "&gt;=") ) or ( ansible_distribution == "RedHat" and ansible_distribution_version
    is version("8.4", "&lt;=") and ansible_architecture == "s390x" ) ) )
  tags:
  - CCE-83503-3
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_rear_installed
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184087072" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184087072"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear

class install_rear {
  package { 'rear':
    ensure =&gt; 'installed',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184084928" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184084928"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
package --add=rear
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362184082944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362184082944"><pre><code>
[[packages]]
name = "rear"
version = "*"
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rear is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_rear_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rear_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rear</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-detail-idm46361752945632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only lowCCE-83461-4 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Only Security Updates</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_security_updates_only:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83461-4">CCE-83461-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure <code>dnf-automatic</code> to install only security updates
automatically, set <code>upgrade_type</code> to <code>security</code> under
<code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By default, <code>dnf-automatic</code> installs all available updates.
Reducing the amount of updated packages only to updates that were
issued as a part of a security advisory increases the system stability.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183818624" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183818624"><pre><code>
found=false

# set value in all files if they contain section or key
for f in $(echo -n "/etc/dnf/automatic.conf"); do
    if [ ! -e "$f" ]; then
        continue
    fi

    # find key in section and change value
    if grep -qzosP "[[:space:]]*\[commands\]([^\n\[]*\n+)+?[[:space:]]*upgrade_type" "$f"; then
            sed -i "s/upgrade_type[^(\n)]*/upgrade_type = security/" "$f"
            found=true

    # find section and add key = value to it
    elif grep -qs "[[:space:]]*\[commands\]" "$f"; then
            sed -i "/[[:space:]]*\[commands\]/a upgrade_type = security" "$f"
            found=true
    fi
done

# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
    file=$(echo "/etc/dnf/automatic.conf" | cut -f1 -d ' ')
    mkdir -p "$(dirname "$file")"
    echo -e "[commands]\nupgrade_type = security" &gt;&gt; "$file"
fi
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_dnf-automatic_security_updates_only:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only</span>Â 
        <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="The configuration file /etc/dnf/automatic.conf for dnf-automatic_security_updates_only">oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/etc/dnf/automatic.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm46361752941632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled In Main dnf Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-83457-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main dnf Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_globally_activated:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83457-2">CCE-83457-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>gpgcheck</code> option controls whether
RPM packages' signatures are always checked prior to installation.
To configure dnf to check package signatures before installing
them, ensure the following line appears in <code>/etc/dnf/dnf.conf</code> in
the <code>[main]</code> section:
<pre>gpgcheck=1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
<br>
Accordingly, patches, service packs, device drivers, or operating system
components must be signed with a certificate recognized and approved by the
organization.
<br>Verifying the authenticity of the software prior to installation
validates the integrity of the patch or upgrade received from a vendor.
This ensures the software has not been tampered with and that it has been
provided by a trusted vendor. Self-signed certificates are disallowed by
this requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA).</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of gpgcheck in /etc/dnf/dnf.conf</span>Â 
        <span class="label label-default">oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/dnf/dnf.conf</td><td>gpgcheck=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm46361752937632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-83463-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_local_packages:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83463-0">CCE-83463-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>dnf</code> should be configured to verify the signature(s) of local packages
prior to installation. To configure <code>dnf</code> to verify signatures of local
packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/dnf/dnf.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
<br><br>
Accordingly, patches, service packs, device drivers, or operating system components must
be signed with a certificate recognized and approved by the organization.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183720464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183720464"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q yum; then

# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/dnf/dnf.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^localpkg_gpgcheck")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\&gt;" "/etc/dnf/dnf.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^localpkg_gpgcheck\\&gt;.*/$escaped_formatted_output/gi" "/etc/dnf/dnf.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83463-0"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/dnf/dnf.conf" &gt;&gt; "/etc/dnf/dnf.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/dnf/dnf.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183717408" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362183717408"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>unknown</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83463-0
  - NIST-800-171-3.4.8
  - NIST-800-53-CM-11(a)
  - NIST-800-53-CM-11(b)
  - NIST-800-53-CM-5(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SA-12
  - NIST-800-53-SA-12(10)
  - ensure_gpgcheck_local_packages
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy

- name: Ensure GPG check Enabled for Local Packages (dnf)
  block:

  - name: Check stats of dnf
    stat:
      path: /etc/dnf/dnf.conf
    register: pkg

  - name: Check if config file of dnf is a symlink
    ansible.builtin.set_fact:
      pkg_config_file_symlink: '{{ pkg.stat.lnk_target if pkg.stat.lnk_target is match("^/.*")
        else "/etc/dnf/dnf.conf" | dirname ~ "/" ~ pkg.stat.lnk_target }}'
    when: pkg.stat.lnk_target is defined

  - name: Ensure GPG check Enabled for Local Packages (dnf)
    ini_file:
      dest: '{{ pkg_config_file_symlink |  default("/etc/dnf/dnf.conf") }}'
      section: main
      option: localpkg_gpgcheck
      value: 1
      no_extra_spaces: true
      create: true
  when: '"yum" in ansible_facts.packages'
  tags:
  - CCE-83463-0
  - NIST-800-171-3.4.8
  - NIST-800-53-CM-11(a)
  - NIST-800-53-CM-11(b)
  - NIST-800-53-CM-5(3)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SA-12
  - NIST-800-53-SA-12(10)
  - ensure_gpgcheck_local_packages
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - unknown_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of localpkg_gpgcheck in /etc/dnf/dnf.conf</span>Â 
        <span class="label label-default">oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="localpkg_gpgcheck set in /etc/dnf/dnf.conf">oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dnf/dnf.conf</td><td>^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-detail-idm46361752933632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for All dnf Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-83464-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for All dnf Package Repositories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_never_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83464-8">CCE-83464-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure signature checking is not disabled for
any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form:
<pre>gpgcheck=0</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)."</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for existence of gpgcheck=0 in /etc/yum.repos.d/ files</span>Â 
        <span class="label label-default">oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/yum.repos.d</td><td>.*</td><td>^\s*gpgcheck\s*=\s*0\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-detail-idm46361752929632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-84180-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure Red Hat GPG Key Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_redhat_gpgkey_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84180-9">CCE-84180-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI06.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">To ensure the system can cryptographically verify base software packages
come from Red Hat (and to connect to the Red Hat Network to receive them),
the Red Hat GPG key must properly be installed. To install the Red Hat GPG
key, run:
<pre>$ sudo subscription-manager register</pre>

If the system is not connected to the Internet or an RHN Satellite, then
install the Red Hat GPG key from trusted media such as the Red Hat
installation CD-ROM or DVD. Assuming the disc is mounted in
<code>/media/cdrom</code>, use the following command as the root user to import
it into the keyring:
<pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre>

Alternatively, the key may be pre-loaded during the RHEL installation. In
such cases, the key can be installed by running the following command:
<pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Changes to software components can have significant effects on the overall
security of the operating system. This requirement ensures the software has
not been tampered with and that it has been provided by a trusted vendor.
The Red Hat GPG key is necessary to cryptographically verify packages are
from Red Hat.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">installed OS part of unix family</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhel9:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>0.13.el9</td><td>9.2</td><td>0:9.2-0.13.el9</td><td>199e2f91fd431d51</td><td>redhat-release-0:9.2-0.13.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 9</span>Â 
        <span class="label label-default">oval:ssg-test_rhevh_rhel9_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel9_version:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Red Hat release key package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>6229229e</td><td>5a6340b3</td><td>0:5a6340b3-6229229e</td><td>0</td><td>gpg-pubkey-0:5a6340b3-6229229e.(none)</td></tr></tbody></table><h4><span class="label label-primary">Red Hat auxiliary key package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_gpgkey-5a6340b3-6229229e_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>6229229e</td><td>5a6340b3</td><td>0:5a6340b3-6229229e</td><td>0</td><td>gpg-pubkey-0:5a6340b3-6229229e.(none)</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos9:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span>Â 
        <span class="label label-default">oval:ssg-test_unix_family:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type
                <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>ID="rhel"</td></tr></tbody></table><h4><span class="label label-primary">Check os-release ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_name:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release ID">oval:ssg-obj_name_centos9:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^ID="(\w+)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check os-release VERSION_ID</span>Â 
        <span class="label label-default">oval:ssg-test_centos9_version:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check os-release VERSION_ID">oval:ssg-obj_version_centos9:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^VERSION_ID="(\d)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">CentOS9 key package is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_gpgkey-8483c65d-5ccc5b19_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>4ae0493b</td><td>fd431d51</td><td>0:fd431d51-4ae0493b</td><td>0</td><td>gpg-pubkey-0:fd431d51-4ae0493b.(none)</td></tr><tr><td>gpg-pubkey</td><td>(none)</td><td>(none)</td><td>6229229e</td><td>5a6340b3</td><td>0:5a6340b3-6229229e</td><td>0</td><td>gpg-pubkey-0:5a6340b3-6229229e.(none)</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_security_patches_up_to_date" id="rule-detail-idm46361752925632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Software Patches Installedxccdf_org.ssgproject.content_rule_security_patches_up_to_date mediumCCE-84185-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Software Patches Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_security_patches_up_to_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>yes</td></tr><tr><td>OVAL Definition ID</td><td></td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84185-8">CCE-84185-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R08)</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">20</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="https://www.isaca.org/resources/cobit">APO12.01</a>, <a href="https://www.isaca.org/resources/cobit">APO12.02</a>, <a href="https://www.isaca.org/resources/cobit">APO12.03</a>, <a href="https://www.isaca.org/resources/cobit">APO12.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001227</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.12</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.RA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-12</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.9</a></p></td></tr><tr><td>Description</td><td><div class="description"><br><br>
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy
dictates.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                The OVAL feed of Red Hat Enterprise Linux 9 is not a XML file, which may not be understood by all scanners.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â 
                                <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">None of the check-content-ref elements was resolvable.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm46361752843360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-83587-6 </div><div class="panel-heading"><h3 class="panel-title">Lock Accounts After Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83587-6">CCE-83587-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000021-VMM-000050</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.2</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">This rule configures the system to lock out accounts after a number of incorrect login attempts
using <code>pam_faillock.so</code>.

pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected.

In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as <code>authselect</code> or <code>authconfig</code>,
depending on the OS version.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
will also use <code>authselect</code> tool. However, if any manual modification was made in
PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182315024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362182315024"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_accounts_passwords_pam_faillock_deny='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr>'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
    fi
    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
done

fi

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*deny\s*="
    line="deny = $var_accounts_passwords_pam_faillock_deny"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line &gt;&gt; $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(deny\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_deny"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bdeny\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bdeny\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" &gt;&amp;2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*deny' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ deny='"$var_accounts_passwords_pam_faillock_deny"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"deny"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_deny"'\3/' "$pam_file"
        fi
    done
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182301904" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362182301904"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Check if system relies on authselect
    tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
    tool is present
  block:

  - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
      current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Lock Accounts After Failed Password Attempts - Informative message based
      on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Lock Accounts After Failed Password Attempts - Get authselect current features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Lock Accounts After Failed Password Attempts - Ensure "with-faillock" feature
      is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature with-faillock
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-faillock")

  - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Remediation where authselect
    tool is not present
  block:

  - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
      is already enabled
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_is_enabled

  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so preauth
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so preauth
      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so authfail
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so authfail
      insertbefore: ^auth.*required.*pam_deny\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Lock Accounts After Failed Password Attempts - Enable pam_faillock.so account
      section editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: account     required      pam_faillock.so
      insertbefore: ^account.*required.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_authselect_present.stat.exists
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_deny # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_deny: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr>
  tags:
    - always

- name: Lock Accounts After Failed Password Attempts - Check the presence of /etc/security/faillock.conf
    file
  ansible.builtin.stat:
    path: /etc/security/faillock.conf
  register: result_faillock_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
    deny parameter in /etc/security/faillock.conf
  ansible.builtin.lineinfile:
    path: /etc/security/faillock.conf
    regexp: ^\s*deny\s*=
    line: deny = {{ var_accounts_passwords_pam_faillock_deny }}
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
    deny parameter not in PAM files
  block:

  - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/system-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/system-auth
    register: result_pam_file_present

  - name: Lock Accounts After Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Lock Accounts After Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/system-auth

    - name: Lock Accounts After Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Lock Accounts After Failed Password Attempts - Informative message based
          on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Lock Accounts After Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Check if any custom profile
          with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Lock Accounts After Failed Password Attempts - Change the PAM file to
          be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
        from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists

  - name: Lock Accounts After Failed Password Attempts - Check if /etc/pam.d/password-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/password-auth
    register: result_pam_file_present

  - name: Lock Accounts After Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Lock Accounts After Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/password-auth

    - name: Lock Accounts After Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Lock Accounts After Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Lock Accounts After Failed Password Attempts - Informative message based
          on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Lock Accounts After Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Check if any custom profile
          with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Lock Accounts After Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Lock Accounts After Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Lock Accounts After Failed Password Attempts - Change the PAM file to
          be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Lock Accounts After Failed Password Attempts - Ensure the "deny" option
        from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bdeny\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Lock Accounts After Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Lock Accounts After Failed Password Attempts - Ensure the pam_faillock.so
    deny parameter in PAM files
  block:

  - name: Lock Accounts After Failed Password Attempts - Check if pam_faillock.so
      deny parameter is already enabled in pam files
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*deny
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_deny_parameter_is_present

  - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
      preauth deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
      line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found == 0

  - name: Lock Accounts After Failed Password Attempts - Ensure the inclusion of pam_faillock.so
      authfail deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
      line: \1required\3 deny={{ var_accounts_passwords_pam_faillock_deny }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found == 0

  - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
      for pam_faillock.so preauth deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(deny)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found &gt; 0

  - name: Lock Accounts After Failed Password Attempts - Ensure the desired value
      for pam_faillock.so authfail deny parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(deny)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_deny }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_deny_parameter_is_present.found &gt; 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_faillock_conf_check.stat.exists
  tags:
  - CCE-83587-6
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.6
  - accounts_passwords_pam_faillock_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected deny value in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>3</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected deny value in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>3</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of deny parameter in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*deny[\s]*=[\s]*([0-9]+)</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of deny parameter in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of deny parameter in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so deny parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected deny value in in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so deny parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>3</td></tr><tr><td>^[\s]*deny[\s]*=[\s]*([0-9]+)</td></tr></table></td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" id="rule-detail-idm46361752838496"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the root Account for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root mediumCCE-83589-2 </div><div class="panel-heading"><h3 class="panel-title">Configure the root Account for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83589-2">CCE-83589-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a></p></td></tr><tr><td>Description</td><td><div class="description">This rule configures the system to lock out the <code>root</code> account after a number of
incorrect login attempts using <code>pam_faillock.so</code>.

pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as <code>authselect</code> or <code>authconfig</code>,
depending on the OS version.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
will also use <code>authselect</code> tool. However, if any manual modification was made in
PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182204768" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362182204768"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
    fi
    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
done

fi

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*even_deny_root"
    line="even_deny_root"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line &gt;&gt; $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\beven_deny_root\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" &gt;&amp;2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ even_deny_root/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ even_deny_root/' "$pam_file"
        fi
    done
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362182192672" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362182192672"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Check if system
    relies on authselect tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Remediation where
    authselect tool is present
  block:

  - name: Configure the root Account for Failed Password Attempts - Check integrity
      of authselect current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Configure the root Account for Failed Password Attempts - Informative message
      based on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Configure the root Account for Failed Password Attempts - Get authselect
      current features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Configure the root Account for Failed Password Attempts - Ensure "with-faillock"
      feature is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature with-faillock
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-faillock")

  - name: Configure the root Account for Failed Password Attempts - Ensure authselect
      changes are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Remediation where
    authselect tool is not present
  block:

  - name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
      is already enabled
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_is_enabled

  - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
      preauth editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so preauth
      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
      authfail editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so authfail
      insertbefore: ^auth.*required.*pam_deny\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Configure the root Account for Failed Password Attempts - Enable pam_faillock.so
      account section editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: account     required      pam_faillock.so
      insertbefore: ^account.*required.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_authselect_present.stat.exists
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Check the presence
    of /etc/security/faillock.conf file
  ansible.builtin.stat:
    path: /etc/security/faillock.conf
  register: result_faillock_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
    even_deny_root parameter in /etc/security/faillock.conf
  ansible.builtin.lineinfile:
    path: /etc/security/faillock.conf
    regexp: ^\s*even_deny_root
    line: even_deny_root
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
    even_deny_root parameter not in PAM files
  block:

  - name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/system-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/system-auth
    register: result_pam_file_present

  - name: Configure the root Account for Failed Password Attempts - Check the proper
      remediation for the system
    block:

    - name: Configure the root Account for Failed Password Attempts - Define the PAM
        file to be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/system-auth

    - name: Configure the root Account for Failed Password Attempts - Check if system
        relies on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
        custom profile is used if authselect is present
      block:

      - name: Configure the root Account for Failed Password Attempts - Check integrity
          of authselect current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Configure the root Account for Failed Password Attempts - Informative
          message based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Configure the root Account for Failed Password Attempts - Get authselect
          current profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Configure the root Account for Failed Password Attempts - Define the
          current authselect profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Define the
          new authselect custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Get authselect
          current features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Check if any
          custom profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Create an
          authselect custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Configure the root Account for Failed Password Attempts - Ensure the
          authselect custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Configure the root Account for Failed Password Attempts - Restore the
          authselect features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Configure the root Account for Failed Password Attempts - Change the
          PAM file to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists

  - name: Configure the root Account for Failed Password Attempts - Check if /etc/pam.d/password-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/password-auth
    register: result_pam_file_present

  - name: Configure the root Account for Failed Password Attempts - Check the proper
      remediation for the system
    block:

    - name: Configure the root Account for Failed Password Attempts - Define the PAM
        file to be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/password-auth

    - name: Configure the root Account for Failed Password Attempts - Check if system
        relies on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
        custom profile is used if authselect is present
      block:

      - name: Configure the root Account for Failed Password Attempts - Check integrity
          of authselect current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Configure the root Account for Failed Password Attempts - Informative
          message based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Configure the root Account for Failed Password Attempts - Get authselect
          current profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Configure the root Account for Failed Password Attempts - Define the
          current authselect profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Define the
          new authselect custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Get authselect
          current features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Check if any
          custom profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Configure the root Account for Failed Password Attempts - Create an
          authselect custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Configure the root Account for Failed Password Attempts - Ensure the
          authselect custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Configure the root Account for Failed Password Attempts - Restore the
          authselect features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Configure the root Account for Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Configure the root Account for Failed Password Attempts - Change the
          PAM file to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Configure the root Account for Failed Password Attempts - Ensure the "even_deny_root"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\beven_deny_root\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Configure the root Account for Failed Password Attempts - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure the root Account for Failed Password Attempts - Ensure the pam_faillock.so
    even_deny_root parameter in PAM files
  block:

  - name: Configure the root Account for Failed Password Attempts - Check if pam_faillock.so
      even_deny_root parameter is already enabled in pam files
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*even_deny_root
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_even_deny_root_parameter_is_present

  - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
      of pam_faillock.so preauth even_deny_root parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
      line: \1required\3 even_deny_root
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_even_deny_root_parameter_is_present.found == 0

  - name: Configure the root Account for Failed Password Attempts - Ensure the inclusion
      of pam_faillock.so authfail even_deny_root parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
      line: \1required\3 even_deny_root
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_even_deny_root_parameter_is_present.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_faillock_conf_check.stat.exists
  tags:
  - CCE-83589-2
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(c)
  - accounts_passwords_pam_faillock_deny_root
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in account section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one pattern occurrence is expected in account section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected even_deny_root parameter in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected even_deny_root parameter in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of even_deny_root parameter in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Try to get the even_deny_root parameter from /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*even_deny_root</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of even_deny_root parameter in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of even_deny_root parameter in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so even_deny_root parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected even_deny_root parameter in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Try to get the even_deny_root parameter from /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*even_deny_root</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm46361752829680"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-83583-5 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_interval:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83583-5">CCE-83583-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description">Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system
to lock out an account after a number of incorrect login attempts within a specified time
period.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
will also use <code>authselect</code> tool. However, if any manual modification was made in
PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181987520" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362181987520"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_accounts_passwords_pam_faillock_fail_interval='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr>'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
    fi
    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
done

fi

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*fail_interval\s*="
    line="fail_interval = $var_accounts_passwords_pam_faillock_fail_interval"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line &gt;&gt; $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(fail_interval\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_fail_interval"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bfail_interval\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bfail_interval\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" &gt;&amp;2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*fail_interval' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ fail_interval='"$var_accounts_passwords_pam_faillock_fail_interval"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"fail_interval"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_fail_interval"'\3/' "$pam_file"
        fi
    done
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181974256" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362181974256"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interval For Counting Failed Password Attempts - Check if system relies
    on authselect tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
    tool is present
  block:

  - name: Set Interval For Counting Failed Password Attempts - Check integrity of
      authselect current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Set Interval For Counting Failed Password Attempts - Informative message
      based on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Set Interval For Counting Failed Password Attempts - Get authselect current
      features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Set Interval For Counting Failed Password Attempts - Ensure "with-faillock"
      feature is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature with-faillock
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-faillock")

  - name: Set Interval For Counting Failed Password Attempts - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interval For Counting Failed Password Attempts - Remediation where authselect
    tool is not present
  block:

  - name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
      is already enabled
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_is_enabled

  - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
      preauth editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so preauth
      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
      authfail editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so authfail
      insertbefore: ^auth.*required.*pam_deny\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Set Interval For Counting Failed Password Attempts - Enable pam_faillock.so
      account section editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: account     required      pam_faillock.so
      insertbefore: ^account.*required.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_authselect_present.stat.exists
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_fail_interval # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_fail_interval: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr>
  tags:
    - always

- name: Set Interval For Counting Failed Password Attempts - Check the presence of
    /etc/security/faillock.conf file
  ansible.builtin.stat:
    path: /etc/security/faillock.conf
  register: result_faillock_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
    fail_interval parameter in /etc/security/faillock.conf
  ansible.builtin.lineinfile:
    path: /etc/security/faillock.conf
    regexp: ^\s*fail_interval\s*=
    line: fail_interval = {{ var_accounts_passwords_pam_faillock_fail_interval }}
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
    fail_interval parameter not in PAM files
  block:

  - name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/system-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/system-auth
    register: result_pam_file_present

  - name: Set Interval For Counting Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Set Interval For Counting Failed Password Attempts - Define the PAM file
        to be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/system-auth

    - name: Set Interval For Counting Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
        custom profile is used if authselect is present
      block:

      - name: Set Interval For Counting Failed Password Attempts - Check integrity
          of authselect current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Set Interval For Counting Failed Password Attempts - Informative message
          based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Set Interval For Counting Failed Password Attempts - Get authselect
          current profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Set Interval For Counting Failed Password Attempts - Define the current
          authselect profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Define the new
          authselect custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Get authselect
          current features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Check if any custom
          profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Interval For Counting Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Set Interval For Counting Failed Password Attempts - Change the PAM
          file to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists

  - name: Set Interval For Counting Failed Password Attempts - Check if /etc/pam.d/password-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/password-auth
    register: result_pam_file_present

  - name: Set Interval For Counting Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Set Interval For Counting Failed Password Attempts - Define the PAM file
        to be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/password-auth

    - name: Set Interval For Counting Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
        custom profile is used if authselect is present
      block:

      - name: Set Interval For Counting Failed Password Attempts - Check integrity
          of authselect current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Set Interval For Counting Failed Password Attempts - Informative message
          based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Set Interval For Counting Failed Password Attempts - Get authselect
          current profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Set Interval For Counting Failed Password Attempts - Define the current
          authselect profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Define the new
          authselect custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Get authselect
          current features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Check if any custom
          profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Set Interval For Counting Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Interval For Counting Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Interval For Counting Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
          changes are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Set Interval For Counting Failed Password Attempts - Change the PAM
          file to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Set Interval For Counting Failed Password Attempts - Ensure the "fail_interval"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bfail_interval\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Set Interval For Counting Failed Password Attempts - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Interval For Counting Failed Password Attempts - Ensure the pam_faillock.so
    fail_interval parameter in PAM files
  block:

  - name: Set Interval For Counting Failed Password Attempts - Check if pam_faillock.so
      fail_interval parameter is already enabled in pam files
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*fail_interval
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_fail_interval_parameter_is_present

  - name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
      of pam_faillock.so preauth fail_interval parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
      line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
        }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_fail_interval_parameter_is_present.found == 0

  - name: Set Interval For Counting Failed Password Attempts - Ensure the inclusion
      of pam_faillock.so authfail fail_interval parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
      line: \1required\3 fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval
        }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_fail_interval_parameter_is_present.found == 0

  - name: Set Interval For Counting Failed Password Attempts - Ensure the desired
      value for pam_faillock.so preauth fail_interval parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(fail_interval)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_fail_interval_parameter_is_present.found &gt; 0

  - name: Set Interval For Counting Failed Password Attempts - Ensure the desired
      value for pam_faillock.so authfail fail_interval parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(fail_interval)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_fail_interval }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_fail_interval_parameter_is_present.found &gt; 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_faillock_conf_check.stat.exists
  tags:
  - CCE-83583-5
  - NIST-800-53-AC-7(a)
  - NIST-800-53-CM-6(a)
  - accounts_passwords_pam_faillock_interval
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected fail_interval value in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>900</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected fail_interval value in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>900</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of fail_interval parameter in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so fail_interval parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*fail_interval[\s]*=[\s]*([0-9]+)</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of fail_interval parameter in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of fail_interval parameter in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so fail_interval parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+)</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected fail_interval value in in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so fail_interval parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>900</td></tr><tr><td>^[\s]*fail_interval[\s]*=[\s]*([0-9]+)</td></tr></table></td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm46361752822064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-83588-4 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83588-4">CCE-83588-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002236</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002237</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000329-VMM-001180</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using <code>pam_faillock.so</code>.

pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as <code>authselect</code> or <code>authconfig</code>,
depending on the OS version.

If <code>unlock_time</code> is set to <code>0</code>, manual intervention by an administrator is required
to unlock a user. This should be done using the <code>faillock</code> tool.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system supports the new <code>/etc/security/faillock.conf</code> file but the
pam_faillock.so parameters are defined directly in <code>/etc/pam.d/system-auth</code> and
<code>/etc/pam.d/password-auth</code>, the remediation will migrate the <code>unlock_time</code> parameter
to <code>/etc/security/faillock.conf</code> to ensure compatibility with <code>authselect</code> tool.
The parameters <code>deny</code> and <code>fail_interval</code>, if used, also have to be migrated
by their respective remediation.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
will also use <code>authselect</code> tool. However, if any manual modification was made in
PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the <code>/etc/security/faillock.conf</code> file, the pam_faillock
parameters should be defined in <code>faillock.conf</code> file.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181835536" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362181835536"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_accounts_passwords_pam_faillock_unlock_time='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr>'


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature with-faillock

authselect apply-changes -b
else
    
AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")
for pam_file in "${AUTH_FILES[@]}"
do
    if ! grep -qE '^\s*auth\s+required\s+pam_faillock\.so\s+(preauth silent|authfail).*$' "$pam_file" ; then
        sed -i --follow-symlinks '/^auth.*sufficient.*pam_unix\.so.*/i auth        required      pam_faillock.so preauth silent' "$pam_file"
        sed -i --follow-symlinks '/^auth.*required.*pam_deny\.so.*/i auth        required      pam_faillock.so authfail' "$pam_file"
        sed -i --follow-symlinks '/^account.*required.*pam_unix\.so.*/i account     required      pam_faillock.so' "$pam_file"
    fi
    sed -Ei 's/(auth.*)(\[default=die\])(.*pam_faillock\.so)/\1required     \3/g' "$pam_file"
done

fi

AUTH_FILES=("/etc/pam.d/system-auth" "/etc/pam.d/password-auth")

FAILLOCK_CONF="/etc/security/faillock.conf"
if [ -f $FAILLOCK_CONF ]; then
    regex="^\s*unlock_time\s*="
    line="unlock_time = $var_accounts_passwords_pam_faillock_unlock_time"
    if ! grep -q $regex $FAILLOCK_CONF; then
        echo $line &gt;&gt; $FAILLOCK_CONF
    else
        sed -i --follow-symlinks 's|^\s*\(unlock_time\s*=\s*\)\(\S\+\)|\1'"$var_accounts_passwords_pam_faillock_unlock_time"'|g' $FAILLOCK_CONF
    fi
    for pam_file in "${AUTH_FILES[@]}"
    do
        if [ -e "$pam_file" ] ; then
            PAM_FILE_PATH="$pam_file"
            if [ -f /usr/bin/authselect ]; then
                
                if ! authselect check; then
                echo "
                authselect integrity check failed. Remediation aborted!
                This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
                It is not recommended to manually edit the PAM files when authselect tool is available.
                In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
                exit 1
                fi

                CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
                # If not already in use, a custom profile is created preserving the enabled features.
                if [[ ! $CURRENT_PROFILE == custom/* ]]; then
                    ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
                    authselect create-profile hardening -b $CURRENT_PROFILE
                    CURRENT_PROFILE="custom/hardening"
                    
                    authselect apply-changes -b --backup=before-hardening-custom-profile
                    authselect select $CURRENT_PROFILE
                    for feature in $ENABLED_FEATURES; do
                        authselect enable-feature $feature;
                    done
                    
                    authselect apply-changes -b --backup=after-hardening-custom-profile
                fi
                PAM_FILE_NAME=$(basename "$pam_file")
                PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

                authselect apply-changes -b
            fi
            
        if grep -qP '^\s*auth\s.*\bpam_faillock.so\s.*\bunlock_time\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks 's/(.*auth.*pam_faillock.so.*)\bunlock_time\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
        fi
            if [ -f /usr/bin/authselect ]; then
                
                authselect apply-changes -b
            fi
        else
            echo "$pam_file was not found" &gt;&amp;2
        fi
    done
else
    for pam_file in "${AUTH_FILES[@]}"
    do
        if ! grep -qE '^\s*auth.*pam_faillock\.so (preauth|authfail).*unlock_time' "$pam_file"; then
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*preauth.*silent.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
            sed -i --follow-symlinks '/^auth.*required.*pam_faillock\.so.*authfail.*/ s/$/ unlock_time='"$var_accounts_passwords_pam_faillock_unlock_time"'/' "$pam_file"
        else
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*preauth.*silent.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
            sed -i --follow-symlinks 's/\(^auth.*required.*pam_faillock\.so.*authfail.*\)\('"unlock_time"'=\)[0-9]\+\(.*\)/\1\2'"$var_accounts_passwords_pam_faillock_unlock_time"'\3/' "$pam_file"
        fi
    done
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181822272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362181822272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Check if system relies on
    authselect tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
    tool is present
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
      current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Set Lockout Time for Failed Password Attempts - Informative message based
      on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Set Lockout Time for Failed Password Attempts - Get authselect current features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Set Lockout Time for Failed Password Attempts - Ensure "with-faillock" feature
      is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature with-faillock
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("with-faillock")

  - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - '"pam" in ansible_facts.packages'
  - result_authselect_present.stat.exists
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Remediation where authselect
    tool is not present
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
      is already enabled
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail)
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_is_enabled

  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so preauth
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so preauth
      insertbefore: ^auth.*sufficient.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so authfail
      editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: auth        required      pam_faillock.so authfail
      insertbefore: ^auth.*required.*pam_deny\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Enable pam_faillock.so account
      section editing PAM files
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      line: account     required      pam_faillock.so
      insertbefore: ^account.*required.*pam_unix\.so.*
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_is_enabled.found == 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_authselect_present.stat.exists
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_passwords_pam_faillock_unlock_time # promote to variable
  set_fact:
    var_accounts_passwords_pam_faillock_unlock_time: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr>
  tags:
    - always

- name: Set Lockout Time for Failed Password Attempts - Check the presence of /etc/security/faillock.conf
    file
  ansible.builtin.stat:
    path: /etc/security/faillock.conf
  register: result_faillock_conf_check
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
    unlock_time parameter in /etc/security/faillock.conf
  ansible.builtin.lineinfile:
    path: /etc/security/faillock.conf
    regexp: ^\s*unlock_time\s*=
    line: unlock_time = {{ var_accounts_passwords_pam_faillock_unlock_time }}
    state: present
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
    unlock_time parameter not in PAM files
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/system-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/system-auth
    register: result_pam_file_present

  - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/system-auth

    - name: Set Lockout Time for Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Set Lockout Time for Failed Password Attempts - Informative message
          based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Set Lockout Time for Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Check if any custom
          profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Change the PAM file
          to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists

  - name: Set Lockout Time for Failed Password Attempts - Check if /etc/pam.d/password-auth
      file is present
    ansible.builtin.stat:
      path: /etc/pam.d/password-auth
    register: result_pam_file_present

  - name: Set Lockout Time for Failed Password Attempts - Check the proper remediation
      for the system
    block:

    - name: Set Lockout Time for Failed Password Attempts - Define the PAM file to
        be edited as a local fact
      ansible.builtin.set_fact:
        pam_file_path: /etc/pam.d/password-auth

    - name: Set Lockout Time for Failed Password Attempts - Check if system relies
        on authselect tool
      ansible.builtin.stat:
        path: /usr/bin/authselect
      register: result_authselect_present

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect custom
        profile is used if authselect is present
      block:

      - name: Set Lockout Time for Failed Password Attempts - Check integrity of authselect
          current profile
        ansible.builtin.command:
          cmd: authselect check
        register: result_authselect_check_cmd
        changed_when: false
        ignore_errors: true

      - name: Set Lockout Time for Failed Password Attempts - Informative message
          based on the authselect integrity check result
        ansible.builtin.assert:
          that:
          - result_authselect_check_cmd is success
          fail_msg:
          - authselect integrity check failed. Remediation aborted!
          - This remediation could not be applied because an authselect profile was
            not selected or the selected profile is not intact.
          - It is not recommended to manually edit the PAM files when authselect tool
            is available.
          - In cases where the default authselect profile does not cover a specific
            demand, a custom authselect profile is recommended.
          success_msg:
          - authselect integrity check passed

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          profile
        ansible.builtin.shell:
          cmd: authselect current -r | awk '{ print $1 }'
        register: result_authselect_profile
        changed_when: false
        when:
        - result_authselect_check_cmd is success

      - name: Set Lockout Time for Failed Password Attempts - Define the current authselect
          profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Define the new authselect
          custom profile as a local fact
        ansible.builtin.set_fact:
          authselect_current_profile: '{{ result_authselect_profile.stdout }}'
          authselect_custom_profile: custom/hardening
        when:
        - result_authselect_profile is not skipped
        - result_authselect_profile.stdout is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Get authselect current
          features to also enable them in the custom profile
        ansible.builtin.shell:
          cmd: authselect current | tail -n+3 | awk '{ print $2 }'
        register: result_authselect_features
        changed_when: false
        when:
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Check if any custom
          profile with the same name was already created
        ansible.builtin.stat:
          path: /etc/authselect/{{ authselect_custom_profile }}
        register: result_authselect_custom_profile_present
        changed_when: false
        when:
        - authselect_current_profile is not match("custom/")

      - name: Set Lockout Time for Failed Password Attempts - Create an authselect
          custom profile based on the current profile
        ansible.builtin.command:
          cmd: authselect create-profile hardening -b {{ authselect_current_profile
            }}
        when:
        - result_authselect_check_cmd is success
        - authselect_current_profile is not match("custom/")
        - not result_authselect_custom_profile_present.stat.exists

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Ensure the authselect
          custom profile is selected
        ansible.builtin.command:
          cmd: authselect select {{ authselect_custom_profile }}
        register: result_pam_authselect_select_profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - authselect_current_profile is not match("custom/")
        - authselect_custom_profile is not match(authselect_current_profile)

      - name: Set Lockout Time for Failed Password Attempts - Restore the authselect
          features in the custom profile
        ansible.builtin.command:
          cmd: authselect enable-feature {{ item }}
        loop: '{{ result_authselect_features.stdout_lines }}'
        register: result_pam_authselect_restore_features
        when:
        - result_authselect_profile is not skipped
        - result_authselect_features is not skipped
        - result_pam_authselect_select_profile is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
          are applied
        ansible.builtin.command:
          cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
        when:
        - result_authselect_check_cmd is success
        - result_authselect_profile is not skipped
        - result_pam_authselect_restore_features is not skipped

      - name: Set Lockout Time for Failed Password Attempts - Change the PAM file
          to be edited according to the custom authselect profile
        ansible.builtin.set_fact:
          pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
            | basename }}
      when:
      - result_authselect_present.stat.exists

    - name: Set Lockout Time for Failed Password Attempts - Ensure the "unlock_time"
        option from "pam_faillock.so" is not present in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: (.*auth.*pam_faillock.so.*)\bunlock_time\b=?[0-9a-zA-Z]*(.*)
        replace: \1\2
      register: result_pam_option_removal

    - name: Set Lockout Time for Failed Password Attempts - Ensure authselect changes
        are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when:
      - result_authselect_present.stat.exists
      - result_pam_option_removal is changed
    when:
    - result_pam_file_present.stat.exists
  when:
  - '"pam" in ansible_facts.packages'
  - result_faillock_conf_check.stat.exists
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set Lockout Time for Failed Password Attempts - Ensure the pam_faillock.so
    unlock_time parameter in PAM files
  block:

  - name: Set Lockout Time for Failed Password Attempts - Check if pam_faillock.so
      unlock_time parameter is already enabled in pam files
    ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: .*auth.*pam_faillock\.so (preauth|authfail).*unlock_time
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_faillock_unlock_time_parameter_is_present

  - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
      pam_faillock.so preauth unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)
      line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
        }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Ensure the inclusion of
      pam_faillock.so authfail unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)
      line: \1required\3 unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time
        }}
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found == 0

  - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
      for pam_faillock.so preauth unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so preauth.*)(unlock_time)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found &gt; 0

  - name: Set Lockout Time for Failed Password Attempts - Ensure the desired value
      for pam_faillock.so authfail unlock_time parameter in auth section
    ansible.builtin.lineinfile:
      path: '{{ item }}'
      backrefs: true
      regexp: (^\s*auth\s+)([\w\[].*\b)(\s+pam_faillock.so authfail.*)(unlock_time)=[0-9]+(.*)
      line: \1required\3\4={{ var_accounts_passwords_pam_faillock_unlock_time }}\5
      state: present
    loop:
    - /etc/pam.d/system-auth
    - /etc/pam.d/password-auth
    when:
    - result_pam_faillock_unlock_time_parameter_is_present.found &gt; 0
  when:
  - '"pam" in ansible_facts.packages'
  - not result_faillock_conf_check.stat.exists
  tags:
  - CCE-83588-4
  - CJIS-5.5.3
  - NIST-800-171-3.1.8
  - NIST-800-53-AC-7(b)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.1.7
  - accounts_passwords_pam_faillock_unlock_time
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">No more than one pam_unix.so is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the second and subsequent occurrences of pam_unix.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth\N+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of system-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in auth section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">One and only one occurrence is expected in auth section of password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check common definition of pam_faillock.so in account section of password-auth">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected unlock_time value in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>0</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected unlock_time value in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>0</td></tr><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td></tr></table></td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of unlock_time parameter in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of unlock_time parameter in system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from system-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td><td>^/etc/pam.d/system-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the absence of unlock_time parameter in password-auth</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Get the pam_faillock.so unlock_time parameter from password-auth file">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)</td><td>^/etc/pam.d/password-auth$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check the expected unlock_time value in in /etc/security/faillock.conf</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check the expected pam_faillock.so unlock_time parameter in /etc/security/faillock.conf">oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>0</td></tr><tr><td>^[\s]*unlock_time[\s]*=[\s]*([0-9]+)</td></tr></table></td><td>^/etc/security/faillock.conf$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm46361752793456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-83579-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_minlen:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83579-3">CCE-83579-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="">SRG-OS-000072-VMM-000390</a>, <a href="">SRG-OS-000078-VMM-000450</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.5.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The pam_pwquality module's <code>minlen</code> parameter controls requirements for
minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">14</abbr></code>
after pam_pwquality to set minimum password length requirements.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
<br>
Password complexity, or strength, is a measure of the effectiveness of a
password in resisting attempts at guessing and brute-force attacks.
Password length is one factor of several that helps to determine strength
and how long it takes to crack a password. Use of more characters in a password
helps to exponentially increase the time and/or resources required to
compromise the password.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181179744" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362181179744"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

var_password_pam_minlen='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">14</abbr>'






# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/security/pwquality.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^minlen")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_password_pam_minlen"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minlen\\&gt;" "/etc/security/pwquality.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^minlen\\&gt;.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83579-3"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" &gt;&gt; "/etc/security/pwquality.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/security/pwquality.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362181174896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362181174896"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83579-3
  - CJIS-5.6.2.1.1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_password_pam_minlen # promote to variable
  set_fact:
    var_password_pam_minlen: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">14</abbr>
  tags:
    - always

- name: Ensure PAM Enforces Password Requirements - Minimum Length - Ensure PAM variable
    minlen is set accordingly
  ansible.builtin.lineinfile:
    create: true
    dest: /etc/security/pwquality.conf
    regexp: ^#?\s*minlen
    line: minlen = {{ var_password_pam_minlen }}
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83579-3
  - CJIS-5.6.2.1.1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(4)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - accounts_password_pam_minlen
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span>Â 
        <span class="label label-default">oval:ssg-test_password_pam_pwquality_minlen:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_minlen:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/security/pwquality\.conf$</td><td>^\s*minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_display_login_attempts" id="rule-detail-idm46361752871760"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Displays Last Logon/Access Notificationxccdf_org.ssgproject.content_rule_display_login_attempts lowCCE-83560-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Displays Last Logon/Access Notification</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_display_login_attempts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-display_login_attempts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83560-3">CCE-83560-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000052</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure the system to notify users of last logon/access
using <code>pam_lastlog</code>, add or correct the <code>pam_lastlog</code>
settings in
<code>/etc/pam.d/postlogin</code> to read as follows:
<pre>session     required pam_lastlog.so showfailed</pre>
And make sure that the <code>silent</code> option is not set for
<code>pam_lastlog</code> module.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183060080" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183060080"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if [ -e "/etc/pam.d/postlogin" ] ; then
    PAM_FILE_PATH="/etc/pam.d/postlogin"
    if [ -f /usr/bin/authselect ]; then
        
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi

        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
        # If not already in use, a custom profile is created preserving the enabled features.
        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
            authselect create-profile hardening -b $CURRENT_PROFILE
            CURRENT_PROFILE="custom/hardening"
            
            authselect apply-changes -b --backup=before-hardening-custom-profile
            authselect select $CURRENT_PROFILE
            for feature in $ENABLED_FEATURES; do
                authselect enable-feature $feature;
            done
            
            authselect apply-changes -b --backup=after-hardening-custom-profile
        fi
        PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

        authselect apply-changes -b
    fi
    if ! grep -qP '^\s*session\s+'"required"'\s+pam_lastlog.so\s*.*' "$PAM_FILE_PATH"; then
            # Line matching group + control + module was not found. Check group + module.
            if [ "$(grep -cP '^\s*session\s+.*\s+pam_lastlog.so\s*' "$PAM_FILE_PATH")" -eq 1 ]; then
                # The control is updated only if one single line matches.
                sed -i -E --follow-symlinks 's/^(\s*session\s+).*(\bpam_lastlog.so.*)/\1'"required"' \2/' "$PAM_FILE_PATH"
            else
                sed -i --follow-symlinks '1i session     '"required"'    pam_lastlog.so' "$PAM_FILE_PATH"
            fi
        fi
        # Check the option
        if ! grep -qP '^\s*session\s+'"required"'\s+pam_lastlog.so\s*.*\sshowfailed\b' "$PAM_FILE_PATH"; then
            sed -i -E --follow-symlinks '/\s*session\s+'"required"'\s+pam_lastlog.so.*/ s/$/ showfailed/' "$PAM_FILE_PATH"
        fi
    if [ -f /usr/bin/authselect ]; then
        
        authselect apply-changes -b
    fi
else
    echo "/etc/pam.d/postlogin was not found" &gt;&amp;2
fi
if [ -e "/etc/pam.d/postlogin" ] ; then
    PAM_FILE_PATH="/etc/pam.d/postlogin"
    if [ -f /usr/bin/authselect ]; then
        
        if ! authselect check; then
        echo "
        authselect integrity check failed. Remediation aborted!
        This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
        It is not recommended to manually edit the PAM files when authselect tool is available.
        In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
        exit 1
        fi

        CURRENT_PROFILE=$(authselect current -r | awk '{ print $1 }')
        # If not already in use, a custom profile is created preserving the enabled features.
        if [[ ! $CURRENT_PROFILE == custom/* ]]; then
            ENABLED_FEATURES=$(authselect current | tail -n+3 | awk '{ print $2 }')
            authselect create-profile hardening -b $CURRENT_PROFILE
            CURRENT_PROFILE="custom/hardening"
            
            authselect apply-changes -b --backup=before-hardening-custom-profile
            authselect select $CURRENT_PROFILE
            for feature in $ENABLED_FEATURES; do
                authselect enable-feature $feature;
            done
            
            authselect apply-changes -b --backup=after-hardening-custom-profile
        fi
        PAM_FILE_NAME=$(basename "/etc/pam.d/postlogin")
        PAM_FILE_PATH="/etc/authselect/$CURRENT_PROFILE/$PAM_FILE_NAME"

        authselect apply-changes -b
    fi
    
if grep -qP '^\s*session\s.*\bpam_lastlog.so\s.*\bsilent\b' "$PAM_FILE_PATH"; then
    sed -i -E --follow-symlinks 's/(.*session.*pam_lastlog.so.*)\bsilent\b=?[[:alnum:]]*(.*)/\1\2/g' "$PAM_FILE_PATH"
fi
    if [ -f /usr/bin/authselect ]; then
        
        authselect apply-changes -b
    fi
else
    echo "/etc/pam.d/postlogin was not found" &gt;&amp;2
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183053712" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362183053712"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83560-3
  - CJIS-5.5.2
  - NIST-800-53-AC-9
  - NIST-800-53-AC-9(1)
  - PCI-DSS-Req-10.2.4
  - configure_strategy
  - display_login_attempts
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed

- name: Ensure PAM Displays Last Logon/Access Notification - Check if /etc/pam.d/postlogin
    file is present
  ansible.builtin.stat:
    path: /etc/pam.d/postlogin
  register: result_pam_file_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83560-3
  - CJIS-5.5.2
  - NIST-800-53-AC-9
  - NIST-800-53-AC-9(1)
  - PCI-DSS-Req-10.2.4
  - configure_strategy
  - display_login_attempts
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed

- name: Ensure PAM Displays Last Logon/Access Notification - Check the proper remediation
    for the system
  block:

  - name: Ensure PAM Displays Last Logon/Access Notification - Define the PAM file
      to be edited as a local fact
    ansible.builtin.set_fact:
      pam_file_path: /etc/pam.d/postlogin

  - name: Ensure PAM Displays Last Logon/Access Notification - Check if system relies
      on authselect tool
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present

  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect custom
      profile is used if authselect is present
    block:

    - name: Ensure PAM Displays Last Logon/Access Notification - Check integrity of
        authselect current profile
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      ignore_errors: true

    - name: Ensure PAM Displays Last Logon/Access Notification - Informative message
        based on the authselect integrity check result
      ansible.builtin.assert:
        that:
        - result_authselect_check_cmd is success
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
        profile
      ansible.builtin.shell:
        cmd: authselect current -r | awk '{ print $1 }'
      register: result_authselect_profile
      changed_when: false
      when:
      - result_authselect_check_cmd is success

    - name: Ensure PAM Displays Last Logon/Access Notification - Define the current
        authselect profile as a local fact
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Define the new authselect
        custom profile as a local fact
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: custom/hardening
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is not match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
        features to also enable them in the custom profile
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      when:
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Check if any custom
        profile with the same name was already created
      ansible.builtin.stat:
        path: /etc/authselect/{{ authselect_custom_profile }}
      register: result_authselect_custom_profile_present
      changed_when: false
      when:
      - authselect_current_profile is not match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Create an authselect
        custom profile based on the current profile
      ansible.builtin.command:
        cmd: authselect create-profile hardening -b {{ authselect_current_profile
          }}
      when:
      - result_authselect_check_cmd is success
      - authselect_current_profile is not match("custom/")
      - not result_authselect_custom_profile_present.stat.exists

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
        custom profile is selected
      ansible.builtin.command:
        cmd: authselect select {{ authselect_custom_profile }}
      register: result_pam_authselect_select_profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: Ensure PAM Displays Last Logon/Access Notification - Restore the authselect
        features in the custom profile
      ansible.builtin.command:
        cmd: authselect enable-feature {{ item }}
      loop: '{{ result_authselect_features.stdout_lines }}'
      register: result_pam_authselect_restore_features
      when:
      - result_authselect_profile is not skipped
      - result_authselect_features is not skipped
      - result_pam_authselect_select_profile is not skipped

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - result_pam_authselect_restore_features is not skipped

    - name: Ensure PAM Displays Last Logon/Access Notification - Change the PAM file
        to be edited according to the custom authselect profile
      ansible.builtin.set_fact:
        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
          | basename }}
    when:
    - result_authselect_present.stat.exists

  - name: Ensure PAM Displays Last Logon/Access Notification - Check if expected PAM
      module line is present in {{ pam_file_path }}
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*session\s+required\s+pam_lastlog.so\s*.*
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_line_present

  - name: Ensure PAM Displays Last Logon/Access Notification - Include or update the
      PAM module line in {{ pam_file_path }}
    block:

    - name: Ensure PAM Displays Last Logon/Access Notification - Check if required
        PAM module line is present in {{ pam_file_path }} with different control
      ansible.builtin.lineinfile:
        path: '{{ pam_file_path }}'
        regexp: ^\s*session\s+.*\s+pam_lastlog.so\s*
        state: absent
      check_mode: true
      changed_when: false
      register: result_pam_line_other_control_present

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the correct
        control for the required PAM module line in {{ pam_file_path }}
      ansible.builtin.replace:
        dest: '{{ pam_file_path }}'
        regexp: ^(\s*session\s+).*(\bpam_lastlog.so.*)
        replace: \1required \2
      register: result_pam_module_edit
      when:
      - result_pam_line_other_control_present.found == 1

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the required
        PAM module line is included in {{ pam_file_path }}
      ansible.builtin.lineinfile:
        dest: '{{ pam_file_path }}'
        insertafter: BOF
        line: session    required    pam_lastlog.so
      register: result_pam_module_add
      when:
      - result_pam_line_other_control_present.found == 0 or result_pam_line_other_control_present.found
        &gt; 1

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b
      when: |
        result_authselect_present is defined and result_authselect_present.stat.exists and ((result_pam_module_add is defined and result_pam_module_add.changed) or (result_pam_module_edit is defined and result_pam_module_edit.changed))
    when:
    - result_pam_line_present.found is defined
    - result_pam_line_present.found == 0

  - name: Ensure PAM Displays Last Logon/Access Notification - Check if the required
      PAM module option is present in {{ pam_file_path }}
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      regexp: ^\s*session\s+required\s+pam_lastlog.so\s*.*\sshowfailed\b
      state: absent
    check_mode: true
    changed_when: false
    register: result_pam_module_showfailed_option_present

  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "showfailed"
      PAM option for "pam_lastlog.so" is included in {{ pam_file_path }}
    ansible.builtin.lineinfile:
      path: '{{ pam_file_path }}'
      backrefs: true
      regexp: ^(\s*session\s+required\s+pam_lastlog.so.*)
      line: \1 showfailed
      state: present
    register: result_pam_showfailed_add
    when:
    - result_pam_module_showfailed_option_present.found == 0

  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_present.stat.exists
    - (result_pam_showfailed_add is defined and result_pam_showfailed_add.changed)
      or (result_pam_showfailed_edit is defined and result_pam_showfailed_edit.changed)
  when:
  - '"pam" in ansible_facts.packages'
  - result_pam_file_present.stat.exists
  tags:
  - CCE-83560-3
  - CJIS-5.5.2
  - NIST-800-53-AC-9
  - NIST-800-53-AC-9(1)
  - PCI-DSS-Req-10.2.4
  - configure_strategy
  - display_login_attempts
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed

- name: Ensure PAM Displays Last Logon/Access Notification - Check if /etc/pam.d/postlogin
    file is present
  ansible.builtin.stat:
    path: /etc/pam.d/postlogin
  register: result_pam_file_present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-83560-3
  - CJIS-5.5.2
  - NIST-800-53-AC-9
  - NIST-800-53-AC-9(1)
  - PCI-DSS-Req-10.2.4
  - configure_strategy
  - display_login_attempts
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed

- name: Ensure PAM Displays Last Logon/Access Notification - Check the proper remediation
    for the system
  block:

  - name: Ensure PAM Displays Last Logon/Access Notification - Define the PAM file
      to be edited as a local fact
    ansible.builtin.set_fact:
      pam_file_path: /etc/pam.d/postlogin

  - name: Ensure PAM Displays Last Logon/Access Notification - Check if system relies
      on authselect tool
    ansible.builtin.stat:
      path: /usr/bin/authselect
    register: result_authselect_present

  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect custom
      profile is used if authselect is present
    block:

    - name: Ensure PAM Displays Last Logon/Access Notification - Check integrity of
        authselect current profile
      ansible.builtin.command:
        cmd: authselect check
      register: result_authselect_check_cmd
      changed_when: false
      ignore_errors: true

    - name: Ensure PAM Displays Last Logon/Access Notification - Informative message
        based on the authselect integrity check result
      ansible.builtin.assert:
        that:
        - result_authselect_check_cmd is success
        fail_msg:
        - authselect integrity check failed. Remediation aborted!
        - This remediation could not be applied because an authselect profile was
          not selected or the selected profile is not intact.
        - It is not recommended to manually edit the PAM files when authselect tool
          is available.
        - In cases where the default authselect profile does not cover a specific
          demand, a custom authselect profile is recommended.
        success_msg:
        - authselect integrity check passed

    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
        profile
      ansible.builtin.shell:
        cmd: authselect current -r | awk '{ print $1 }'
      register: result_authselect_profile
      changed_when: false
      when:
      - result_authselect_check_cmd is success

    - name: Ensure PAM Displays Last Logon/Access Notification - Define the current
        authselect profile as a local fact
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: '{{ result_authselect_profile.stdout }}'
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Define the new authselect
        custom profile as a local fact
      ansible.builtin.set_fact:
        authselect_current_profile: '{{ result_authselect_profile.stdout }}'
        authselect_custom_profile: custom/hardening
      when:
      - result_authselect_profile is not skipped
      - result_authselect_profile.stdout is not match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Get authselect current
        features to also enable them in the custom profile
      ansible.builtin.shell:
        cmd: authselect current | tail -n+3 | awk '{ print $2 }'
      register: result_authselect_features
      changed_when: false
      when:
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Check if any custom
        profile with the same name was already created
      ansible.builtin.stat:
        path: /etc/authselect/{{ authselect_custom_profile }}
      register: result_authselect_custom_profile_present
      changed_when: false
      when:
      - authselect_current_profile is not match("custom/")

    - name: Ensure PAM Displays Last Logon/Access Notification - Create an authselect
        custom profile based on the current profile
      ansible.builtin.command:
        cmd: authselect create-profile hardening -b {{ authselect_current_profile
          }}
      when:
      - result_authselect_check_cmd is success
      - authselect_current_profile is not match("custom/")
      - not result_authselect_custom_profile_present.stat.exists

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=before-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the authselect
        custom profile is selected
      ansible.builtin.command:
        cmd: authselect select {{ authselect_custom_profile }}
      register: result_pam_authselect_select_profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - authselect_current_profile is not match("custom/")
      - authselect_custom_profile is not match(authselect_current_profile)

    - name: Ensure PAM Displays Last Logon/Access Notification - Restore the authselect
        features in the custom profile
      ansible.builtin.command:
        cmd: authselect enable-feature {{ item }}
      loop: '{{ result_authselect_features.stdout_lines }}'
      register: result_pam_authselect_restore_features
      when:
      - result_authselect_profile is not skipped
      - result_authselect_features is not skipped
      - result_pam_authselect_select_profile is not skipped

    - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect
        changes are applied
      ansible.builtin.command:
        cmd: authselect apply-changes -b --backup=after-hardening-custom-profile
      when:
      - result_authselect_check_cmd is success
      - result_authselect_profile is not skipped
      - result_pam_authselect_restore_features is not skipped

    - name: Ensure PAM Displays Last Logon/Access Notification - Change the PAM file
        to be edited according to the custom authselect profile
      ansible.builtin.set_fact:
        pam_file_path: /etc/authselect/{{ authselect_custom_profile }}/{{ pam_file_path
          | basename }}
    when:
    - result_authselect_present.stat.exists

  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure the "silent"
      option from "pam_lastlog.so" is not present in {{ pam_file_path }}
    ansible.builtin.replace:
      dest: '{{ pam_file_path }}'
      regexp: (.*session.*pam_lastlog.so.*)\bsilent\b=?[0-9a-zA-Z]*(.*)
      replace: \1\2
    register: result_pam_option_removal

  - name: Ensure PAM Displays Last Logon/Access Notification - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_present.stat.exists
    - result_pam_option_removal is changed
  when:
  - '"pam" in ansible_facts.packages'
  - result_pam_file_present.stat.exists
  tags:
  - CCE-83560-3
  - CJIS-5.5.2
  - NIST-800-53-AC-9
  - NIST-800-53-AC-9(1)
  - PCI-DSS-Req-10.2.4
  - configure_strategy
  - display_login_attempts
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check the pam_lastlog configuration</span>Â 
        <span class="label label-default">oval:ssg-test_display_login_attempts:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_display_login_attempts:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/postlogin</td><td>^\s*session\s+required\s+pam_lastlog\.so(?:\s+[\w=]+)*\s+showfailed(\s|$)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Forbid 'silent' option for pam_lastlog</span>Â 
        <span class="label label-default">oval:ssg-test_display_login_attempts_silent:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/postlogin</td><td>session optional                   pam_lastlog.so silent </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_emergency_target_auth" id="rule-detail-idm46361752747952"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth mediumCCE-83592-6 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Emergency Systemd Target</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_emergency_target_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-require_emergency_target_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83592-6">CCE-83592-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description">Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
<br><br>
By default, Emergency mode is protected by requiring a password and is set
in <code>/usr/lib/systemd/system/emergency.service</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests that     /usr/lib/systemd/systemd-sulogin-shell     was not removed from the default systemd emergency.service to ensure that a   password must be entered to access single user mode</span>Â 
        <span class="label label-default">oval:ssg-test_require_emergency_service:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/emergency.service</td><td>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</td></tr></tbody></table><h4><span class="label label-primary">Tests that the systemd emergency.service is in the emergency.target</span>Â 
        <span class="label label-default">oval:ssg-test_require_emergency_service_emergency_target:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/emergency.target</td><td>Requires=emergency.service</td></tr></tbody></table><h4><span class="label label-primary">look for emergency.target in /etc/systemd/system</span>Â 
        <span class="label label-default">oval:ssg-test_no_custom_emergency_target:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for emergency.target in /etc/systemd/system">oval:ssg-object_no_custom_emergency_target:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^emergency.target$</td></tr></tbody></table><h4><span class="label label-primary">look for emergency.service in /etc/systemd/system</span>Â 
        <span class="label label-default">oval:ssg-test_no_custom_emergency_service:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for emergency.service in /etc/systemd/system">oval:ssg-object_no_custom_emergency_service:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^emergency.service$</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-detail-idm46361752743952"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-83594-2 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Single User Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_singleuser_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-require_singleuser_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83594-2">CCE-83594-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description">Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
<br><br>
By default, single-user mode is protected by requiring a password and is set
in <code>/usr/lib/systemd/system/rescue.service</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests that     /usr/lib/systemd/systemd-sulogin-shell     was not removed from the default systemd rescue.service to ensure that a   password must be entered to access single user mode</span>Â 
        <span class="label label-default">oval:ssg-test_require_rescue_service:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/rescue.service</td><td>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</td></tr></tbody></table><h4><span class="label label-primary">Tests that the systemd rescue.service is in the runlevel1.target</span>Â 
        <span class="label label-default">oval:ssg-test_require_rescue_service_runlevel1:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/runlevel1.target</td><td>Requires=sysinit.target rescue.service</td></tr></tbody></table><h4><span class="label label-primary">look for runlevel1.target in /etc/systemd/system</span>Â 
        <span class="label label-default">oval:ssg-test_no_custom_runlevel1_target:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for runlevel1.target in /etc/systemd/system">oval:ssg-object_no_custom_runlevel1_target:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^runlevel1.target$</td></tr></tbody></table><h4><span class="label label-primary">look for rescue.service in /etc/systemd/system</span>Â 
        <span class="label label-default">oval:ssg-test_no_custom_rescue_service:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for rescue.service in /etc/systemd/system">oval:ssg-object_no_custom_rescue_service:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^rescue.service$</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" id="rule-detail-idm46361752689296"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Agexccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs mediumCCE-83606-4 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_maximum_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83606-4">CCE-83606-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000199</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000076-GPOS-00044</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password maximum age for new accounts,
edit the file <code>/etc/login.defs</code>
and add or correct the following line:
<pre>PASS_MAX_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></pre>
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
<br><br>
Setting the password maximum age ensures users are required to
periodically change their passwords. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179239776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362179239776"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_maximum_age_login_defs='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr>'


grep -q ^PASS_MAX_DAYS /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" &gt;&gt; /etc/login.defs
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179237248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362179237248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83606-4
  - CJIS-5.6.2.1
  - NIST-800-171-3.5.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.4
  - accounts_maximum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_maximum_age_login_defs # promote to variable
  set_fact:
    var_accounts_maximum_age_login_defs: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs">60</abbr>
  tags:
    - always

- name: Set Password Maximum Age
  lineinfile:
    create: true
    dest: /etc/login.defs
    regexp: ^#?PASS_MAX_DAYS
    line: PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CCE-83606-4
  - CJIS-5.6.2.1
  - NIST-800-171-3.5.6
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.2.4
  - accounts_maximum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_pass_max_days:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_max_days_instance_value:var:1</td><td>99999</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" id="rule-detail-idm46361752684448"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Agexccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs mediumCCE-83610-6 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_minimum_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83610-6">CCE-83610-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000198</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.3.9</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000075-GPOS-00043</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify password minimum age for new accounts,
edit the file <code>/etc/login.defs</code>
and add or correct the following line:
<pre>PASS_MIN_DAYS <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></pre>
A value of 1 day is considered sufficient for many
environments. The DoD requirement is 1.
The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
<br><br>
Setting the minimum password age protects against users cycling back to a
favorite password after satisfying the password reuse requirement.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179178464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362179178464"><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_accounts_minimum_age_login_defs='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr>'


grep -q ^PASS_MIN_DAYS /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" &gt;&gt; /etc/login.defs
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362179175936" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362179175936"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83610-6
  - CJIS-5.6.2.1.1
  - NIST-800-171-3.5.8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.3.9
  - accounts_minimum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: XCCDF Value var_accounts_minimum_age_login_defs # promote to variable
  set_fact:
    var_accounts_minimum_age_login_defs: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs">1</abbr>
  tags:
    - always

- name: Set Password Minimum Age
  lineinfile:
    create: true
    dest: /etc/login.defs
    regexp: ^#?PASS_MIN_DAYS
    line: PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}
  when: '"shadow-utils" in ansible_facts.packages'
  tags:
  - CCE-83610-6
  - CJIS-5.6.2.1.1
  - NIST-800-171-3.5.8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(d)
  - NIST-800-53-IA-5(f)
  - PCI-DSS-Req-8.3.9
  - accounts_minimum_age_login_defs
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_pass_min_days:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_min_days_instance_value:var:1</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" id="rule-detail-idm46361752671456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Warning Agexccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs mediumCCE-83609-8 </div><div class="panel-heading"><h3 class="panel-title">Set Password Warning Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_warn_age_login_defs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83609-8">CCE-83609-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.3.9</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <code>/etc/login.defs</code> and add or correct
 the following line:
<pre>PASS_WARN_AGE <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs">7</abbr></pre>
The DoD requirement is 7.
The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs">7</abbr></code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the password warning age enables users to
make the change at a practical time.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_pass_warn_age:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_warn_age_instance_value:var:1</td><td>7</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" id="rule-detail-idm46361752666576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify All Account Password Hashes are Shadowedxccdf_org.ssgproject.content_rule_accounts_password_all_shadowed mediumCCE-83618-9 </div><div class="panel-heading"><h3 class="panel-title">Verify All Account Password Hashes are Shadowed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_all_shadowed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83618-9">CCE-83618-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="">1410</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.1</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">If any password hashes are stored in <code>/etc/passwd</code> (in the second field,
instead of an <code>x</code> or <code>*</code>), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The hashes for all user account passwords should be stored in
the file <code>/etc/shadow</code> and never in <code>/etc/passwd</code>,
which is readable by all users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">password hashes are shadowed</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_password_all_shadowed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Username</th><th>Password</th><th>User id</th><th>Group id</th><th>Gcos</th><th>Home dir</th><th>Login shell</th><th>Last login</th></tr></thead><tbody><tr><td>shutdown</td><td></td><td role="num">6</td><td role="num">0</td><td>shutdown</td><td>/sbin</td><td>/sbin/shutdown</td><td role="num">0</td></tr><tr><td>sync</td><td></td><td role="num">5</td><td role="num">0</td><td>sync</td><td>/sbin</td><td>/bin/sync</td><td role="num">0</td></tr><tr><td>lp</td><td></td><td role="num">4</td><td role="num">7</td><td>lp</td><td>/var/spool/lpd</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>polkitd</td><td></td><td role="num">998</td><td role="num">996</td><td>User for polkitd</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>systemd-oom</td><td></td><td role="num">988</td><td role="num">988</td><td>systemd Userspace OOM Killer</td><td>/</td><td>/usr/sbin/nologin</td><td role="num">0</td></tr><tr><td>root</td><td></td><td role="num">0</td><td role="num">0</td><td>root</td><td>/root</td><td>/bin/bash</td><td role="num">0</td></tr><tr><td>adm</td><td></td><td role="num">3</td><td role="num">4</td><td>adm</td><td>/var/adm</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>daemon</td><td></td><td role="num">2</td><td role="num">2</td><td>daemon</td><td>/sbin</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>chrony</td><td></td><td role="num">993</td><td role="num">990</td><td>chrony system user</td><td>/var/lib/chrony</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>tcpdump</td><td></td><td role="num">72</td><td role="num">72</td><td></td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>games</td><td></td><td role="num">12</td><td role="num">100</td><td>games</td><td>/usr/games</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>sshd</td><td></td><td role="num">74</td><td role="num">74</td><td>Privilege-separated SSH</td><td>/usr/share/empty.sshd</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>tss</td><td></td><td role="num">59</td><td role="num">59</td><td>Account used for TPM access</td><td>/dev/null</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>ftp</td><td></td><td role="num">14</td><td role="num">50</td><td>FTP User</td><td>/var/ftp</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>rpcuser</td><td></td><td role="num">29</td><td role="num">29</td><td>RPC Service User</td><td>/var/lib/nfs</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>mail</td><td></td><td role="num">8</td><td role="num">12</td><td>mail</td><td>/var/spool/mail</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>setroubleshoot</td><td></td><td role="num">997</td><td role="num">994</td><td>SELinux troubleshoot server</td><td>/var/lib/setroubleshoot</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>halt</td><td></td><td role="num">7</td><td role="num">0</td><td>halt</td><td>/sbin</td><td>/sbin/halt</td><td role="num">0</td></tr><tr><td>cockpit-wsinstance</td><td></td><td role="num">994</td><td role="num">991</td><td>User for cockpit-ws instances</td><td>/nonexisting</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>rpc</td><td></td><td role="num">32</td><td role="num">32</td><td>Rpcbind Daemon</td><td>/var/lib/rpcbind</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>sssd</td><td></td><td role="num">996</td><td role="num">993</td><td>User for sssd</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>systemd-coredump</td><td></td><td role="num">999</td><td role="num">997</td><td>systemd Core Dumper</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>nobody</td><td></td><td role="num">65534</td><td role="num">65534</td><td>Kernel Overflow User</td><td>/</td><td>/sbin/nologin</td><td role="num">-1</td></tr><tr><td>operator</td><td></td><td role="num">11</td><td role="num">0</td><td>operator</td><td>/root</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>dbus</td><td></td><td role="num">81</td><td role="num">81</td><td>System message bus</td><td>/</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>cockpit-ws</td><td></td><td role="num">995</td><td role="num">992</td><td>User for cockpit web service</td><td>/nonexisting</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>bin</td><td></td><td role="num">1</td><td role="num">1</td><td>bin</td><td>/bin</td><td>/sbin/nologin</td><td role="num">0</td></tr><tr><td>quickcluster</td><td></td><td role="num">1000</td><td role="num">1000</td><td>quickcluster</td><td>/home/quickcluster</td><td>/bin/bash</td><td role="num">1689647013</td></tr><tr><td>cloud-user</td><td></td><td role="num">1001</td><td role="num">1001</td><td>Cloud User</td><td>/home/cloud-user</td><td>/bin/bash</td><td role="num">0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-detail-idm46361752651744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-83611-4 </div><div class="panel-heading"><h3 class="panel-title">Prevent Login to Accounts With Empty Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_empty_passwords:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83611-4">CCE-83611-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
<code>nullok</code> in

<code>/etc/pam.d/system-auth</code> and
<code>/etc/pam.d/password-auth</code>

to prevent logins with empty passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system relies on <code>authselect</code> tool to manage PAM settings, the remediation
will also use <code>authselect</code> tool. However, if any manual modification was made in
PAM files, the <code>authselect</code> integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362178689152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362178689152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.
It is not recommended to manually edit the PAM files when authselect tool is available.
In cases where the default authselect profile does not cover a specific demand, a custom authselect profile is recommended."
exit 1
fi
authselect enable-feature without-nullok

authselect apply-changes -b
else
    
if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
fi
    
if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/system-auth"; then
    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/system-auth"
fi
    
if grep -qP '^\s*auth\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
    sed -i -E --follow-symlinks 's/(.*auth.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
fi
    
if grep -qP '^\s*password\s+'"sufficient"'\s+pam_unix.so\s.*\bnullok\b' "/etc/pam.d/password-auth"; then
    sed -i -E --follow-symlinks 's/(.*password.*'"sufficient"'.*pam_unix.so.*)\snullok=?[[:alnum:]]*(.*)/\1\2/g' "/etc/pam.d/password-auth"
fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362178684720" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362178684720"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
    authselect
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83611-4
  - CJIS-5.5.2
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_empty_passwords
  - no_reboot_needed

- name: Prevent Login to Accounts With Empty Password - Remediate using authselect
  block:

  - name: Prevent Login to Accounts With Empty Password - Check integrity of authselect
      current profile
    ansible.builtin.command:
      cmd: authselect check
    register: result_authselect_check_cmd
    changed_when: false
    ignore_errors: true

  - name: Prevent Login to Accounts With Empty Password - Informative message based
      on the authselect integrity check result
    ansible.builtin.assert:
      that:
      - result_authselect_check_cmd is success
      fail_msg:
      - authselect integrity check failed. Remediation aborted!
      - This remediation could not be applied because an authselect profile was not
        selected or the selected profile is not intact.
      - It is not recommended to manually edit the PAM files when authselect tool
        is available.
      - In cases where the default authselect profile does not cover a specific demand,
        a custom authselect profile is recommended.
      success_msg:
      - authselect integrity check passed

  - name: Prevent Login to Accounts With Empty Password - Get authselect current features
    ansible.builtin.shell:
      cmd: authselect current | tail -n+3 | awk '{ print $2 }'
    register: result_authselect_features
    changed_when: false
    when:
    - result_authselect_check_cmd is success

  - name: Prevent Login to Accounts With Empty Password - Ensure "without-nullok"
      feature is enabled using authselect tool
    ansible.builtin.command:
      cmd: authselect enable-feature without-nullok
    register: result_authselect_enable_feature_cmd
    when:
    - result_authselect_check_cmd is success
    - result_authselect_features.stdout is not search("without-nullok")

  - name: Prevent Login to Accounts With Empty Password - Ensure authselect changes
      are applied
    ansible.builtin.command:
      cmd: authselect apply-changes -b
    when:
    - result_authselect_enable_feature_cmd is not skipped
    - result_authselect_enable_feature_cmd is success
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - result_authselect_present.stat.exists
  tags:
  - CCE-83611-4
  - CJIS-5.5.2
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_empty_passwords
  - no_reboot_needed

- name: Prevent Login to Accounts With Empty Password - Remediate directly editing
    PAM files
  ansible.builtin.replace:
    dest: '{{ item }}'
    regexp: nullok
  loop:
  - /etc/pam.d/system-auth
  - /etc/pam.d/password-auth
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - not result_authselect_present.stat.exists
  tags:
  - CCE-83611-4
  - CJIS-5.5.2
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(c)
  - PCI-DSS-Req-8.2.3
  - configure_strategy
  - high_severity
  - low_complexity
  - medium_disruption
  - no_empty_passwords
  - no_reboot_needed
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362178675104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362178675104"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
        mode: 0644
        path: /etc/pam.d/password-auth
        overwrite: true
      - contents:
          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
        mode: 0644
        path: /etc/pam.d/system-auth
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">make sure nullok is not used in /etc/pam.d/system-auth</span>Â 
        <span class="label label-default">oval:ssg-test_no_empty_passwords:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

account     required      pam_unix.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow</td></tr><tr><td>/etc/pam.d/system-auth</td><td>auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

account     required      pam_unix.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" id="rule-detail-idm46361752634272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-83624-7 </div><div class="panel-heading"><h3 class="panel-title">Verify Only Root Has UID 0</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_no_uid_except_zero:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83624-7">CCE-83624-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.2.9</a></p></td></tr><tr><td>Description</td><td><div class="description">If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
<br>
If the account is associated with system commands or applications the UID
should be changed to one greater than "0" but less than "1000."
Otherwise assign a UID greater than "1000" that has not already been
assigned.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">test that there are no accounts with UID 0 except root in the /etc/passwd file</span>Â 
        <span class="label label-default">oval:ssg-test_accounts_no_uid_except_root:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_no_uid_except_root:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>^(?!root:)[^:]*:[^:]*:0</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="rule-detail-idm46361752622816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-83623-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure that System Accounts Do Not Run a Shell Upon Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_shelllogin_for_systemaccounts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83623-9">CCE-83623-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="">1491</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6.1(iv)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.6.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.6.2</a></p></td></tr><tr><td>Description</td><td><div class="description">Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
<br><br>
The login shell for each local account is stored in the last field of each line
in <code>/etc/passwd</code>. System accounts are those user accounts with a user ID
less than UID_MIN, where value of UID_MIN directive is set in
/etc/login.defs configuration file. In the default configuration UID_MIN is set
to 1000, thus system accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
<i>SYSACCT</i> (other than root) has a login shell, disable it with the
command: <pre>$ sudo usermod -s /sbin/nologin <i>SYSACCT</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Ensuring shells are not given to system accounts upon login makes it more
difficult for attackers to make use of system accounts.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">SYS_UID_MIN not defined in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_sys_uid_min_not_defined:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
#       pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY		3

# Currently FAILLOG_ENAB is not supported

#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB	no

# Currently LOG_OK_LOGINS is not supported

# Currently LASTLOG_ENAB is not supported

#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX

# Currently MAIL_CHECK_ENAB is not supported

# Currently OBSCURE_CHECKS_ENAB is not supported

# Currently PORTTIME_CHECKS_ENAB is not supported

# Currently QUOTAS_ENAB is not supported

# Currently SYSLOG_SU_ENAB is not supported

#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB		yes

# Currently CONSOLE is not supported

# Currently SULOG_FILE is not supported

# Currently MOTD_FILE is not supported

# Currently ISSUE_FILE is not supported

# Currently TTYTYPE_FILE is not supported

# Currently FTMP_FILE is not supported

# Currently NOLOGINS_FILE is not supported

# Currently SU_NAME is not supported

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

# Currently ENV_TZ is not supported

# Currently ENV_HZ is not supported

#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH	PATH=/bin:/usr/bin

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP	tty
#TTYPERM		0600

# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported

# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK		022

# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE	0700

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7

# Currently PASS_MIN_LEN is not supported

# Currently SU_WHEEL_ONLY is not supported

# Currently CRACKLIB_DICTPATH is not supported

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201</td></tr></tbody></table><h4><span class="label label-primary">SYS_UID_MAX not defined in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_sys_uid_max_not_defined:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
#       pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY		3

# Currently FAILLOG_ENAB is not supported

#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB	no

# Currently LOG_OK_LOGINS is not supported

# Currently LASTLOG_ENAB is not supported

#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX

# Currently MAIL_CHECK_ENAB is not supported

# Currently OBSCURE_CHECKS_ENAB is not supported

# Currently PORTTIME_CHECKS_ENAB is not supported

# Currently QUOTAS_ENAB is not supported

# Currently SYSLOG_SU_ENAB is not supported

#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB		yes

# Currently CONSOLE is not supported

# Currently SULOG_FILE is not supported

# Currently MOTD_FILE is not supported

# Currently ISSUE_FILE is not supported

# Currently TTYTYPE_FILE is not supported

# Currently FTMP_FILE is not supported

# Currently NOLOGINS_FILE is not supported

# Currently SU_NAME is not supported

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

# Currently ENV_TZ is not supported

# Currently ENV_HZ is not supported

#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH	PATH=/bin:/usr/bin

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP	tty
#TTYPERM		0600

# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported

# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK		022

# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE	0700

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7

# Currently PASS_MIN_LEN is not supported

# Currently SU_WHEEL_ONLY is not supported

# Currently CRACKLIB_DICTPATH is not supported

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999</td></tr></tbody></table><h4><span class="label label-primary">&lt;0, UID_MIN - 1&gt; system UIDs having shell set</span>Â 
        <span class="label label-default">oval:ssg-test_shell_defined_default_uid_range:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>quickcluster:x:1000:1000:quickcluster:/home/quickcluster:/bin/bash</td></tr><tr><td>/etc/passwd</td><td>cloud-user:x:1001:1001:Cloud User:/home/cloud-user:/bin/bash</td></tr></tbody></table><h4><span class="label label-primary">SYS_UID_MIN not defined in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_sys_uid_min_not_defined:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
#       pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY		3

# Currently FAILLOG_ENAB is not supported

#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB	no

# Currently LOG_OK_LOGINS is not supported

# Currently LASTLOG_ENAB is not supported

#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX

# Currently MAIL_CHECK_ENAB is not supported

# Currently OBSCURE_CHECKS_ENAB is not supported

# Currently PORTTIME_CHECKS_ENAB is not supported

# Currently QUOTAS_ENAB is not supported

# Currently SYSLOG_SU_ENAB is not supported

#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB		yes

# Currently CONSOLE is not supported

# Currently SULOG_FILE is not supported

# Currently MOTD_FILE is not supported

# Currently ISSUE_FILE is not supported

# Currently TTYTYPE_FILE is not supported

# Currently FTMP_FILE is not supported

# Currently NOLOGINS_FILE is not supported

# Currently SU_NAME is not supported

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

# Currently ENV_TZ is not supported

# Currently ENV_HZ is not supported

#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH	PATH=/bin:/usr/bin

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP	tty
#TTYPERM		0600

# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported

# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK		022

# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE	0700

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7

# Currently PASS_MIN_LEN is not supported

# Currently SU_WHEEL_ONLY is not supported

# Currently CRACKLIB_DICTPATH is not supported

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201</td></tr></tbody></table><h4><span class="label label-primary">SYS_UID_MAX not defined in /etc/login.defs</span>Â 
        <span class="label label-default">oval:ssg-test_sys_uid_max_not_defined:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/login.defs</td><td>#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
#       pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY		3

# Currently FAILLOG_ENAB is not supported

#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB	no

# Currently LOG_OK_LOGINS is not supported

# Currently LASTLOG_ENAB is not supported

#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX

# Currently MAIL_CHECK_ENAB is not supported

# Currently OBSCURE_CHECKS_ENAB is not supported

# Currently PORTTIME_CHECKS_ENAB is not supported

# Currently QUOTAS_ENAB is not supported

# Currently SYSLOG_SU_ENAB is not supported

#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB		yes

# Currently CONSOLE is not supported

# Currently SULOG_FILE is not supported

# Currently MOTD_FILE is not supported

# Currently ISSUE_FILE is not supported

# Currently TTYTYPE_FILE is not supported

# Currently FTMP_FILE is not supported

# Currently NOLOGINS_FILE is not supported

# Currently SU_NAME is not supported

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

# Currently ENV_TZ is not supported

# Currently ENV_HZ is not supported

#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH	PATH=/bin:/usr/bin

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP	tty
#TTYPERM		0600

# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported

# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK		022

# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE	0700

# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7

# Currently PASS_MIN_LEN is not supported

# Currently SU_WHEEL_ONLY is not supported

# Currently CRACKLIB_DICTPATH is not supported

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999</td></tr></tbody></table><h4><span class="label label-primary">&lt;0, SYS_UID_MIN&gt; system UIDs having shell set</span>Â 
        <span class="label label-default">oval:ssg-test_shell_defined_reserved_uid_range:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>quickcluster:x:1000:1000:quickcluster:/home/quickcluster:/bin/bash</td></tr><tr><td>/etc/passwd</td><td>cloud-user:x:1001:1001:Cloud User:/home/cloud-user:/bin/bash</td></tr></tbody></table><h4><span class="label label-primary">&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set</span>Â 
        <span class="label label-default">oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/passwd</td><td>quickcluster:x:1000:1000:quickcluster:/home/quickcluster:/bin/bash</td></tr><tr><td>/etc/passwd</td><td>cloud-user:x:1001:1001:Cloud User:/home/cloud-user:/bin/bash</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_enable_authselect" id="rule-detail-idm46361752918272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-89732-2 </div><div class="panel-heading"><h3 class="panel-title">Enable authselect</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_authselect</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_authselect:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-89732-2">CCE-89732-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.4.1</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure user authentication setup to use the <code>authselect</code> tool.
If authselect profile is selected, the rule will enable the <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_authselect_profile">sssd</abbr> profile.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Authselect is a successor to authconfig.
It is a tool to select system authentication and identity sources from a list of supported
profiles instead of letting the administrator manually build the PAM stack.

That way, it avoids potential breakage of configuration, as it ships several tested profiles
that are well tested and supported to solve different use-cases.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the <code>sudo authselect select</code> command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183515360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362183515360"><pre><code>
var_authselect_profile='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_authselect_profile">sssd</abbr>'


authselect select "$var_authselect_profile"

if test "$?" -ne 0; then
    if rpm --quiet --verify pam; then
        authselect select --force "$var_authselect_profile"
    else
	echo "Files in the 'pam' package have been altered, so the authselect configuration won't be forced" &gt;&amp;2
    fi
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362183512944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362183512944"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: XCCDF Value var_authselect_profile # promote to variable
  set_fact:
    var_authselect_profile: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_authselect_profile">sssd</abbr>
  tags:
    - always

- name: Select authselect profile
  ansible.builtin.command:
    cmd: authselect select "{{ var_authselect_profile }}"
  ignore_errors: true
  register: result_authselect_select
  tags:
  - CCE-89732-2
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Verify if PAM has been altered
  ansible.builtin.command:
    cmd: rpm -qV pam
  register: result_altered_authselect
  ignore_errors: true
  when: result_authselect_select is failed
  tags:
  - CCE-89732-2
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Informative message based on the authselect integrity check
  ansible.builtin.assert:
    that:
    - result_altered_authselect is success
    fail_msg:
    - Files in the 'pam' package have been altered, so the authselect configuration
      won't be forced.
  tags:
  - CCE-89732-2
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed

- name: Force authselect profile select
  ansible.builtin.command:
    cmd: authselect select --force "{{ var_authselect_profile }}"
  when:
  - result_altered_authselect is success
  - result_authselect_select is failed
  tags:
  - CCE-89732-2
  - NIST-800-53-AC-3
  - configure_strategy
  - enable_authselect
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart</span>Â 
        <span class="label label-default">oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_fingerprint_symlinked_to_authselect:obj:1</abbr></strong> of type
                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/fingerprint-auth</td></tr></tbody></table><h4><span class="label label-primary">The 'password-auth' PAM config is a symlink to its authselect counterpart</span>Â 
        <span class="label label-default">oval:ssg-test_pam_password_symlinked_to_authselect:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_password_symlinked_to_authselect:obj:1</abbr></strong> of type
                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td></tr></tbody></table><h4><span class="label label-primary">The 'postlogin' PAM config is a symlink to its authselect counterpart</span>Â 
        <span class="label label-default">oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_postlogin_symlinked_to_authselect:obj:1</abbr></strong> of type
                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/postlogin</td></tr></tbody></table><h4><span class="label label-primary">The 'smartcard-auth' PAM config is a symlink to its authselect counterpart</span>Â 
        <span class="label label-default">oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_smartcard_symlinked_to_authselect:obj:1</abbr></strong> of type
                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/smartcard-auth</td></tr></tbody></table><h4><span class="label label-primary">The 'system-auth' PAM config is a symlink to its authselect counterpart</span>Â 
        <span class="label label-default">oval:ssg-test_pam_system_symlinked_to_authselect:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="see the test comment">oval:ssg-object_pam_system_symlinked_to_authselect:obj:1</abbr></strong> of type
                <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" id="rule-detail-idm46361752435232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-83830-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chmod</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_dac_modification_chmod:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83830-0">CCE-83830-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="">SRG-OS-000458-VMM-001810</a>, <a href="">SRG-OS-000474-VMM-001940</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.9</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173451136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362173451136"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
	OTHER_FILTERS=""
	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
	SYSCALL="chmod"
	KEY="perm_mod"
	SYSCALL_GROUPING="chmod fchmod fchmodat"

	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173426912" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362173426912"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83830-0
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chmod
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Set architecture for audit chmod tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83830-0
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chmod
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Perform remediation of Audit rules for chmod for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chmod
      syscall_grouping:
      - chmod
      - fchmod
      - fchmodat

  - name: Check existence of chmod in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
        |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chmod
      syscall_grouping:
      - chmod
      - fchmod
      - fchmodat

  - name: Check existence of chmod in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
        key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83830-0
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chmod
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Perform remediation of Audit rules for chmod for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chmod
      syscall_grouping:
      - chmod
      - fchmod
      - fchmodat

  - name: Check existence of chmod in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
        |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chmod
      syscall_grouping:
      - chmod
      - fchmod
      - fchmodat

  - name: Check existence of chmod in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
        key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83830-0
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chmod
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit chmod</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit chmod</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit chmod</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit chmod</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" id="rule-detail-idm46361752431232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-83812-8 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Discretionary Access Controls - chown</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_dac_modification_chown:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83812-8">CCE-83812-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="">SRG-OS-000458-VMM-001810</a>, <a href="">SRG-OS-000474-VMM-001940</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.9</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect file permission
changes for all users and root. If the <code>auditd</code> daemon is configured to
use the <code>augenrules</code> program to read audit rules during daemon startup
(the default), add the following line to a file with suffix <code>.rules</code> in
the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173296880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362173296880"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
	OTHER_FILTERS=""
	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
	SYSCALL="chown"
	KEY="perm_mod"
	SYSCALL_GROUPING="chown fchown fchownat lchown"

	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362173280256" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362173280256"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83812-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chown
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Set architecture for audit chown tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83812-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chown
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Perform remediation of Audit rules for chown for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chown
      syscall_grouping:
      - chown
      - fchown
      - fchownat
      - lchown

  - name: Check existence of chown in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
        |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chown
      syscall_grouping:
      - chown
      - fchown
      - fchownat
      - lchown

  - name: Check existence of chown in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
        key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83812-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chown
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Perform remediation of Audit rules for chown for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chown
      syscall_grouping:
      - chown
      - fchown
      - fchownat
      - lchown

  - name: Check existence of chown in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/perm_mod.rules
    set_fact: audit_file="/etc/audit/rules.d/perm_mod.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
        |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - chown
      syscall_grouping:
      - chown
      - fchown
      - fchownat
      - lchown

  - name: Check existence of chown in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
        key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=perm_mod
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83812-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_dac_modification_chown
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit chown</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_chown_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chown_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit chown</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_chown_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chown_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit chown</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_chown_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_chown_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit chown</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_chown_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_chown_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" id="rule-detail-idm46361752386592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run chconxccdf_org.ssgproject.content_rule_audit_rules_execution_chcon mediumCCE-83748-4 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run chcon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_chcon:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83748-4">CCE-83748-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.15</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
of the <code>chcon</code> command for all users and root. If the <code>auditd</code>
daemon is configured to use the <code>augenrules</code> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362171103104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362171103104"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path=/usr/bin/chcon -F perm=x"
AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362171087360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362171087360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83748-4
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_chcon
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for /usr/bin/chcon
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F
        auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
        -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
        -S |,)\w+)+)( -F path=/usr/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=unset
        (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/bin/chcon -F perm=x
        -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83748-4
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_chcon
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules chcon</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl chcon</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" id="rule-detail-idm46361752382592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run restoreconxccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon mediumCCE-83749-2 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run restorecon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_restorecon:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83749-2">CCE-83749-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
of the <code>restorecon</code> command for all users and root. If the <code>auditd</code>
daemon is configured to use the <code>augenrules</code> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362171012432" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362171012432"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path=/usr/sbin/restorecon -F perm=x"
AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170986336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170986336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83749-2
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_restorecon
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for /usr/sbin/restorecon
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/restorecon -F perm=x
        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/restorecon
        -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
        -S |,)\w+)+)( -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset
        (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/restorecon
        -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83749-2
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_restorecon
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules restorecon</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl restorecon</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" id="rule-detail-idm46361752378592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run semanagexccdf_org.ssgproject.content_rule_audit_rules_execution_semanage mediumCCE-83750-0 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run semanage</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_semanage:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83750-0">CCE-83750-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
of the <code>semanage</code> command for all users and root. If the <code>auditd</code>
daemon is configured to use the <code>augenrules</code> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170899824" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170899824"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path=/usr/sbin/semanage -F perm=x"
AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170884288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170884288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83750-0
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_semanage
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for /usr/sbin/semanage
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x
        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
        -S |,)\w+)+)( -F path=/usr/sbin/semanage -F perm=x -F auid&gt;=1000 -F auid!=unset
        (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/semanage -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83750-0
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_semanage
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules semanage</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl semanage</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" id="rule-detail-idm46361752374592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run setfilesxccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles mediumCCE-83736-9 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setfiles</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_setfiles:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83736-9">CCE-83736-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
of the <code>setfiles</code> command for all users and root. If the <code>auditd</code>
daemon is configured to use the <code>augenrules</code> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170852768" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170852768"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path=/usr/sbin/setfiles -F perm=x"
AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170837040" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170837040"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83736-9
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_setfiles
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for /usr/sbin/setfiles
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x
        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
        -S |,)\w+)+)( -F path=/usr/sbin/setfiles -F perm=x -F auid&gt;=1000 -F auid!=unset
        (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setfiles -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83736-9
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_setfiles
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules setfiles</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl setfiles</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" id="rule-detail-idm46361752370592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run setseboolxccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool mediumCCE-83751-8 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run setsebool</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_setsebool:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83751-8">CCE-83751-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
of the <code>setsebool</code> command for all users and root. If the <code>auditd</code>
daemon is configured to use the <code>augenrules</code> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170756128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170756128"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path=/usr/sbin/setsebool -F perm=x"
AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170740304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170740304"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83751-8
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_setsebool
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for /usr/sbin/setsebool
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x
        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
        -S |,)\w+)+)( -F path=/usr/sbin/setsebool -F perm=x -F auid&gt;=1000 -F auid!=unset
        (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/setsebool -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83751-8
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_setsebool
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules setsebool</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl setsebool</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" id="rule-detail-idm46361752366592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Any Attempts to Run seunsharexccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare mediumCCE-83746-8 </div><div class="panel-heading"><h3 class="panel-title">Record Any Attempts to Run seunshare</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_execution_seunshare:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83746-8">CCE-83746-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="">SRG-OS-000463-VMM-001850</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect any execution attempt
of the <code>seunshare</code> command for all users and root. If the <code>auditd</code>
daemon is configured to use the <code>augenrules</code> program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170710944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362170710944"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

ACTION_ARCH_FILTERS="-a always,exit"
OTHER_FILTERS="-F path=/usr/sbin/seunshare -F perm=x"
AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
SYSCALL=""
KEY="privileged"
SYSCALL_GROUPING=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362170695120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362170695120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83746-8
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_seunshare
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for /usr/sbin/seunshare
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/privileged.rules
    set_fact: audit_file="/etc/audit/rules.d/privileged.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F path=/usr/sbin/seunshare -F perm=x
        -F auid&gt;=1000 -F auid!=unset (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/seunshare -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls: []
      syscall_grouping: []

  - name: Check existence of  in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit(( -S |,)\w+)*(( -S |,){{ item }})+(( -S |,)\w+)* -F
        path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit)(?=.*(?:(?:-S |,)(?:{{ syscalls_found | join("|") }}))\b)((?:(
        -S |,)\w+)+)( -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset
        (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit{{ syscalls | join(',') }} -F path=/usr/sbin/seunshare -F
        perm=x -F auid&gt;=1000 -F auid!=unset -F key=privileged
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83746-8
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - audit_rules_execution_seunshare
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules seunshare</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_seunshare_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_seunshare_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl seunshare</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_execution_seunshare_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_execution_seunshare_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" id="rule-detail-idm46361752285856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification mediumCCE-83793-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_unsuccessful_file_modification:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83793-0">CCE-83793-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum the audit system should collect unauthorized file
accesses for all users and root. If the <code>auditd</code> daemon is configured
to use the <code>augenrules</code> program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>
If the system is 64 bit then also add the following lines:
<pre>
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre>
If the system is 64 bit then also add the following lines:
<pre>
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule checks for multiple syscalls related to unsuccessful file modification;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
<ul><li><code>audit_rules_unsuccessful_file_modification_open</code></li><li><code>audit_rules_unsuccessful_file_modification_ftruncate</code></li><li><code>audit_rules_unsuccessful_file_modification_creat</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362169398720" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362169398720"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do

	# First fix the -EACCES requirement
	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
	OTHER_FILTERS="-F exit=-EACCES"
	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
	SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
	KEY="access"
	SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

	# Then fix the -EPERM requirement
	# No need to change content of $GROUP variable - it's the same as for -EACCES case above
	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
	OTHER_FILTERS="-F exit=-EPERM"
	AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
	SYSCALL="creat open openat open_by_handle_at truncate ftruncate"
	KEY="access"
	SYSCALL_GROUPING="creat open openat open_by_handle_at truncate ftruncate"
	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi

done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>^/etc/audit/rules\.d/.*\.rules$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eacces</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EACCES)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit file eperm</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td><table><tr><td>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</td></tr><tr><td>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*(?:-F\s+exit=-EPERM)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td></tr></table></td><td>/etc/audit/audit.rules</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" id="rule-detail-idm46361752202864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on Kernel Module Loading and Unloadingxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading mediumCCE-83804-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on Kernel Module Loading and Unloading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_kernel_module_loading:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83804-5">CCE-83804-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</a></p></td></tr><tr><td>Description</td><td><div class="description">To capture kernel module loading and unloading events, use following lines, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
<pre>
-a always,exit -F arch=<i>ARCH</i> -S init_module,finit_module,delete_module -F key=modules
</pre>

The place to add the lines depends on a way <code>auditd</code> daemon is configured. If it is configured
to use the <code>augenrules</code> program (the default), add the lines to a file with suffix
<code>.rules</code> in the directory <code>/etc/audit/rules.d</code>.

If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility,
add the lines to file <code>/etc/audit/audit.rules</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362165215776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362165215776"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
# Note: 32-bit and 64-bit kernel syscall numbers not always line up =&gt;
#       it's required on a 64-bit system to check also for the presence
#       of 32-bit's equivalent of the corresponding rule.
#       (See `man 7 audit.rules` for details )
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        OTHER_FILTERS=""
        
        AUID_FILTERS="-F auid&gt;=1000 -F auid!=unset"
        
        SYSCALL="init_module finit_module delete_module"
        KEY="modules"
        SYSCALL_GROUPING="init_module finit_module delete_module"
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
        unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362165201248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362165201248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83804-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.7
  - audit_rules_kernel_module_loading
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Set architecture for audit tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83804-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.7
  - audit_rules_kernel_module_loading
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Perform remediation of Audit rules for kernel module loading for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - init_module
      - delete_module
      - finit_module
      syscall_grouping:
      - init_module
      - delete_module
      - finit_module

  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
    set_fact: audit_file="/etc/audit/rules.d/modules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
        |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=modules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - init_module
      - delete_module
      - finit_module
      syscall_grouping:
      - init_module
      - delete_module
      - finit_module

  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
        key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=modules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83804-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.7
  - audit_rules_kernel_module_loading
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Perform remediation of Audit rules for kernel module loading for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - init_module
      - delete_module
      - finit_module
      syscall_grouping:
      - init_module
      - delete_module
      - finit_module

  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/modules.rules
    set_fact: audit_file="/etc/audit/rules.d/modules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k
        |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=modules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - init_module
      - delete_module
      - finit_module
      syscall_grouping:
      - init_module
      - delete_module
      - finit_module

  - name: Check existence of init_module, delete_module, finit_module in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F auid&gt;=1000 -F auid!=unset (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F auid&gt;=1000 -F auid!=unset (?:-k |-F
        key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F auid&gt;=1000
        -F auid!=unset -F key=modules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83804-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.7
  - audit_rules_kernel_module_loading
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit init_module</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit init_module</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit init_module</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit init_module</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit delete_module</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit delete_module</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit delete_module</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit delete_module</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit finit_module</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit finit_module</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit finit_module</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit finit_module</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events" id="rule-detail-idm46361752190704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Eventsxccdf_org.ssgproject.content_rule_audit_rules_login_events mediumCCE-83784-9 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83784-9">CCE-83784-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins
-w /var/log/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins
-w /var/log/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule checks for multiple syscalls related to login events;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
<ul><li><code>audit_rules_login_events_tallylog</code></li><li><code>audit_rules_login_events_faillock</code></li><li><code>audit_rules_login_events_lastlog</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164652304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164652304"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/logins.rules"
    # If the logins.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/logins.rules"
    # If the logins.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/logins.rules"
    # If the logins.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules tallylog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_tallylog_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl tallylog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_tallylog_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules faillock</span>Â 
        <span class="label label-default">oval:ssg-test_arle_faillock_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl faillock</span>Â 
        <span class="label label-default">oval:ssg-test_arle_faillock_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules lastlog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_lastlog_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl lastlog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_lastlog_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" id="rule-detail-idm46361752186720"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - faillockxccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock mediumCCE-83783-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - faillock</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events_faillock:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83783-1">CCE-83783-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</a>, <a href="">SRG-OS-000473-VMM-001930</a>, <a href="">SRG-OS-000470-VMM-001900</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.12</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/faillock -p wa -k logins</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/faillock -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164511856" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164511856"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/faillock" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/logins.rules"
    # If the logins.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/faillock" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/faillock $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/faillock$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/faillock -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164502336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362164502336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/faillock already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/var/log/faillock\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key logins
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)logins$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/logins.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/faillock in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /var/log/faillock -p wa -k logins
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/faillock already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/var/log/faillock\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/faillock in /etc/audit/audit.rules
  lineinfile:
    line: -w /var/log/faillock -p wa -k logins
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83783-1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_faillock
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules faillock</span>Â 
        <span class="label label-default">oval:ssg-test_arle_faillock_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl faillock</span>Â 
        <span class="label label-default">oval:ssg-test_arle_faillock_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_faillock_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" id="rule-detail-idm46361752182720"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - lastlogxccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog mediumCCE-83785-6 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - lastlog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events_lastlog:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83785-6">CCE-83785-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="">SRG-OS-000473-VMM-001930</a>, <a href="">SRG-OS-000470-VMM-001900</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.12</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/lastlog -p wa -k logins</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/lastlog -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164387472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164387472"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/lastlog" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/logins.rules"
    # If the logins.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/lastlog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/lastlog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/lastlog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/lastlog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164379296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362164379296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/lastlog already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key logins
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)logins$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/logins.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/lastlog in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /var/log/lastlog -p wa -k logins
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/lastlog already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/var/log/lastlog\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/lastlog in /etc/audit/audit.rules
  lineinfile:
    line: -w /var/log/lastlog -p wa -k logins
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83785-6
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_lastlog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules lastlog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_lastlog_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl lastlog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_lastlog_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_lastlog_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" id="rule-detail-idm46361752178720"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Logon and Logout Events - tallylogxccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog mediumCCE-83782-3 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Logon and Logout Events - tallylog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_login_events_tallylog:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83782-3">CCE-83782-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</a>, <a href="">SRG-OS-000473-VMM-001930</a>, <a href="">SRG-OS-000470-VMM-001900</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects login information for all users
and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/tallylog -p wa -k logins</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164271184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362164271184"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/logins.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/tallylog" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/logins.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/logins.rules"
    # If the logins.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/tallylog" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/tallylog $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/tallylog$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/tallylog -p wa -k logins" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362164261488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362164261488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/tallylog already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/var/log/tallylog\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key logins
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)logins$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use /etc/audit/rules.d/logins.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/logins.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/tallylog in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /var/log/tallylog -p wa -k logins
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/tallylog already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/var/log/tallylog\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/tallylog in /etc/audit/audit.rules
  lineinfile:
    line: -w /var/log/tallylog -p wa -k logins
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83782-3
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_login_events_tallylog
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules tallylog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_tallylog_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl tallylog</span>Â 
        <span class="label label-default">oval:ssg-test_arle_tallylog_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arle_tallylog_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" id="rule-detail-idm46361752163904"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects Information on the Use of Privileged Commandsxccdf_org.ssgproject.content_rule_audit_rules_privileged_commands mediumCCE-83759-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects Information on the Use of Privileged Commands</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_privileged_commands:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83759-1">CCE-83759-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO08.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002234</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.CO-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000327-GPOS-00127</a>, <a href="">SRG-OS-000471-VMM-001910</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.6</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system should collect information about usage of privileged
commands for all users and root. To find the relevant setuid /
setgid programs, run the following command for each local partition
<i>PART</i>:
<pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2&gt;/dev/null</pre>
If the <code>auditd</code> daemon is configured to use the <code>augenrules</code>
program to read audit rules during daemon startup (the default), add a line of
the following form to a file with suffix <code>.rules</code> in the directory
<code>/etc/audit/rules.d</code> for each setuid / setgid program on the system,
replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid /
setgid program in the list:
<pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add a line of the following
form to <code>/etc/audit/audit.rules</code> for each setuid / setgid program on the
system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that
setuid / setgid program in the list:
<pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid&gt;=1000 -F auid!=unset -F key=privileged</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
<br><br>
Privileged programs are subject to escalation-of-privilege attacks,
which attempt to subvert their normal role of providing some necessary but
limited capability. As such, motivation exists to monitor these programs for
unusual activity.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule checks for multiple syscalls related to privileged commands;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
<ul><li><code>audit_rules_privileged_commands_su</code></li><li><code>audit_rules_privileged_commands_umount</code></li><li><code>audit_rules_privileged_commands_passwd</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362163959424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362163959424"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
files_to_inspect=()

# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
#   missing rules should be inserted
files_to_inspect=("/etc/audit/audit.rules")
output_audit_file="/etc/audit/audit.rules"

# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
privileged_binaries=()
readarray -t privileged_binaries &lt; &lt;(find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2&gt; /dev/null)

# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
sbinaries_to_skip=()

# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do

    # Check if this sbinary wasn't already handled in some of the previous sbinary iterations
    # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
    if [[ $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
    then
        # If so, don't process it second time &amp; go to process next sbinary
        continue
    fi

    # Reset the counter of inspected files when starting to check
    # presence of existing audit rule for new sbinary
    count_of_inspected_files=0

    # Define expected rule form for this binary
    expected_rule="-a always,exit -F path=${sbinary} -F auid&gt;=1000 -F auid!=unset -F key=privileged"

    # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
    if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
        echo "$expected_rule" &gt;&gt; "$output_audit_file"
        continue
    fi

    # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
    sbinary_esc=${sbinary//$'/'/$'\/'}

    # For each audit rules file from the list of files to be inspected
    for afile in "${files_to_inspect[@]}"
    do
        # Search current audit rules file's content for match. Match criteria:
        # * existing rule is for the same SUID/SGID binary we are currently processing (but
        #   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
        # * existing rule contains all arguments from expected rule form (though can contain
        #   them in arbitrary order)

        base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
                -e '/-F path=[^[:space:]]\+/!d'						\
                -e '/-F auid&gt;='"1000"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d'	\
                -e '/-k \|-F key=/!d' "$afile")

        # Increase the count of inspected files for this sbinary
        count_of_inspected_files=$((count_of_inspected_files + 1))

        # Search current audit rules file's content for presence of rule pattern for this sbinary
        if [[ $base_search ]]
        then

            # Current audit rules file already contains rule for this binary =&gt;
            # Store the exact form of found rule for this binary for further processing
            concrete_rule=$base_search

            # Select all other SUID/SGID binaries possibly also present in the found rule

            readarray -t handled_sbinaries &lt; &lt;(grep -o -e "-F path=[^[:space:]]\+" &lt;&lt;&lt; "$concrete_rule")
            handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")

            # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
            readarray -t sbinaries_to_skip &lt; &lt;(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)

            # if there is a -F perm flag, remove it
            if grep -q '.*-F\s\+perm=[rwxa]\+.*' &lt;&lt;&lt; "$concrete_rule"; then

                # Separate concrete_rule into three sections using hash '#'
                # sign as a delimiter around rule's permission section borders
                # note that the trailing space after perm flag is captured because there would be
                # two consecutive spaces after joining remaining parts of the rule together
                concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\ \?\)\+/\1#\2#/p")"

                # Split concrete_rule into head and tail sections using hash '#' delimiter
                # The second column contains the permission section, which we don't need to extract
                rule_head=$(cut -d '#' -f 1 &lt;&lt;&lt; "$concrete_rule")
                rule_tail=$(cut -d '#' -f 3 &lt;&lt;&lt; "$concrete_rule")

                # Remove permissions section from existing rule in the file
                sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${rule_tail}#" "$afile"
            fi
        # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
        #
        # * in the "auditctl" mode of operation insert particular rule each time
        #   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
        #
        # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
        #   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
        #   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
        #
	
	else
            # Check if this sbinary wasn't already handled in some of the previous afile iterations
            # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
            if [[ ! $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
            then
                # Current audit rules file's content doesn't contain expected rule for this
                # SUID/SGID binary yet =&gt; append it
                echo "$expected_rule" &gt;&gt; "$output_audit_file"
            fi
            continue
        fi
    done
done
files_to_inspect=()
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
#   (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
#   missing rules should be inserted
readarray -t files_to_inspect &lt; &lt;(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)
output_audit_file="/etc/audit/rules.d/privileged.rules"

# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
privileged_binaries=()
readarray -t privileged_binaries &lt; &lt;(find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2&gt; /dev/null)

# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
sbinaries_to_skip=()

# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do

    # Check if this sbinary wasn't already handled in some of the previous sbinary iterations
    # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
    if [[ $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
    then
        # If so, don't process it second time &amp; go to process next sbinary
        continue
    fi

    # Reset the counter of inspected files when starting to check
    # presence of existing audit rule for new sbinary
    count_of_inspected_files=0

    # Define expected rule form for this binary
    expected_rule="-a always,exit -F path=${sbinary} -F auid&gt;=1000 -F auid!=unset -F key=privileged"

    # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
    if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
        echo "$expected_rule" &gt;&gt; "$output_audit_file"
        continue
    fi

    # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
    sbinary_esc=${sbinary//$'/'/$'\/'}

    # For each audit rules file from the list of files to be inspected
    for afile in "${files_to_inspect[@]}"
    do
        # Search current audit rules file's content for match. Match criteria:
        # * existing rule is for the same SUID/SGID binary we are currently processing (but
        #   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
        # * existing rule contains all arguments from expected rule form (though can contain
        #   them in arbitrary order)

        base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
                -e '/-F path=[^[:space:]]\+/!d'						\
                -e '/-F auid&gt;='"1000"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d'	\
                -e '/-k \|-F key=/!d' "$afile")

        # Increase the count of inspected files for this sbinary
        count_of_inspected_files=$((count_of_inspected_files + 1))

        # Search current audit rules file's content for presence of rule pattern for this sbinary
        if [[ $base_search ]]
        then

            # Current audit rules file already contains rule for this binary =&gt;
            # Store the exact form of found rule for this binary for further processing
            concrete_rule=$base_search

            # Select all other SUID/SGID binaries possibly also present in the found rule

            readarray -t handled_sbinaries &lt; &lt;(grep -o -e "-F path=[^[:space:]]\+" &lt;&lt;&lt; "$concrete_rule")
            handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")

            # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
            readarray -t sbinaries_to_skip &lt; &lt;(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)

            # if there is a -F perm flag, remove it
            if grep -q '.*-F\s\+perm=[rwxa]\+.*' &lt;&lt;&lt; "$concrete_rule"; then

                # Separate concrete_rule into three sections using hash '#'
                # sign as a delimiter around rule's permission section borders
                # note that the trailing space after perm flag is captured because there would be
                # two consecutive spaces after joining remaining parts of the rule together
                concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\ \?\)\+/\1#\2#/p")"

                # Split concrete_rule into head and tail sections using hash '#' delimiter
                # The second column contains the permission section, which we don't need to extract
                rule_head=$(cut -d '#' -f 1 &lt;&lt;&lt; "$concrete_rule")
                rule_tail=$(cut -d '#' -f 3 &lt;&lt;&lt; "$concrete_rule")

                # Remove permissions section from existing rule in the file
                sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${rule_tail}#" "$afile"
            fi
        # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
        #
        # * in the "auditctl" mode of operation insert particular rule each time
        #   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
        #
        # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
        #   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
        #   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
        #
	elif [[ $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
        then
	
            # Check if this sbinary wasn't already handled in some of the previous afile iterations
            # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
            if [[ ! $(sed -ne "\|${sbinary}|p" &lt;&lt;&lt; "${sbinaries_to_skip[*]}") ]]
            then
                # Current audit rules file's content doesn't contain expected rule for this
                # SUID/SGID binary yet =&gt; append it
                echo "$expected_rule" &gt;&gt; "$output_audit_file"
            fi
            continue
        fi
    done
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362163941040" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362163941040"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83759-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.2
  - audit_rules_privileged_commands
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search for privileged commands
  shell: |
    set -o pipefail
    find / -not \( -fstype afs -o -fstype ceph -o -fstype cifs -o -fstype smb3 -o -fstype smbfs -o -fstype sshfs -o -fstype ncpfs -o -fstype ncp -o -fstype nfs -o -fstype nfs4 -o -fstype gfs -o -fstype gfs2 -o -fstype glusterfs -o -fstype gpfs -o -fstype pvfs2 -o -fstype ocfs2 -o -fstype lustre -o -fstype davfs -o -fstype fuse.sshfs \) -type f \( -perm -4000 -o -perm -2000 \) 2&gt; /dev/null
  args:
    executable: /bin/bash
  check_mode: false
  register: find_result
  changed_when: false
  failed_when: false
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83759-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.2
  - audit_rules_privileged_commands
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for audit rule entries
  find:
    paths: /etc/audit/rules.d
    recurse: false
    contains: ^.*path={{ item }} .*$
    patterns: '*.rules'
  with_items:
  - '{{ find_result.stdout_lines }}'
  register: files_result
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83759-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.2
  - audit_rules_privileged_commands
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Overwrites the rule in rules.d
  lineinfile:
    path: '{{ item.1.path }}'
    line: -a always,exit -F path={{ item.0.item }} -F auid&gt;=1000 -F auid!=unset -F
      key=privileged
    create: false
    regexp: ^.*path={{ item.0.item }} .*$
  with_subelements:
  - '{{ files_result.results }}'
  - files
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83759-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.2
  - audit_rules_privileged_commands
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Adds the rule in rules.d
  lineinfile:
    path: /etc/audit/rules.d/privileged.rules
    line: -a always,exit -F path={{ item.item }} -F auid&gt;=1000 -F auid!=unset -F key=privileged
    create: true
  with_items:
  - '{{ files_result.results }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - files_result.results is defined and item.matched == 0
  tags:
  - CCE-83759-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.2
  - audit_rules_privileged_commands
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Inserts/replaces the rule in audit.rules
  lineinfile:
    path: /etc/audit/audit.rules
    line: -a always,exit -F path={{ item.item }} -F auid&gt;=1000 -F auid!=unset -F key=privileged
    create: true
    regexp: ^.*path={{ item.item }} .*$
  with_items:
  - '{{ files_result.results }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83759-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(4)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.2
  - audit_rules_privileged_commands
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules suid sgid</span>Â 
        <span class="label label-default">oval:ssg-test_arpc_suid_sgid_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arpc_suid_sgid_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th><th>Filter</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid&gt;=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td><td>oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules binaries count matches rules count</span>Â 
        <span class="label label-default">oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1</span>Â 
        <span class="label label-danger">error</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1</td><td>20</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl suid sgid</span>Â 
        <span class="label label-default">oval:ssg-test_arpc_suid_sgid_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arpc_suid_sgid_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid&gt;=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td><td>oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl binaries count matches rules count</span>Â 
        <span class="label label-default">oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1</span>Â 
        <span class="label label-danger">error</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1</td><td>20</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" id="rule-detail-idm46361752091856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-83840-9 </div><div class="panel-heading"><h3 class="panel-title">Record attempts to alter time through adjtimex</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_adjtimex:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83840-9">CCE-83840-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161657520" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161657520"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
    # Create expected audit group and audit rule form for particular system call &amp; architecture
    if [ ${ARCH} = "b32" ]
    then
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
        # so append it to the list of time group system calls to be audited
        SYSCALL="adjtimex settimeofday stime"
        SYSCALL_GROUPING="adjtimex settimeofday stime"
    elif [ ${ARCH} = "b64" ]
    then
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
        # therefore don't add it to the list of time group system calls to be audited
        SYSCALL="adjtimex settimeofday"
        SYSCALL_GROUPING="adjtimex settimeofday"
    fi
    OTHER_FILTERS=""
    AUID_FILTERS=""
    KEY="audit_time_rules"
    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
    unset syscall_a
    unset syscall_grouping
    unset syscall_string
    unset syscall
    unset file_to_edit
    unset rule_to_edit
    unset rule_syscalls_to_edit
    unset other_string
    unset auid_string
    unset full_rule

    # Load macro arguments into arrays
    read -a syscall_a &lt;&lt;&lt; $SYSCALL
    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

    # Create a list of audit *.rules files that should be inspected for presence and correctness
    # of a particular audit rule. The scheme is as follows:
    #
    # -----------------------------------------------------------------------------------------
    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
    # -----------------------------------------------------------------------------------------
    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
    # -----------------------------------------------------------------------------------------
    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
    # -----------------------------------------------------------------------------------------
    #
    files_to_inspect=()


    # If audit tool is 'augenrules', then check if the audit rule is defined
    # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
    # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
    default_file="/etc/audit/rules.d/$KEY.rules"
    # As other_filters may include paths, lets use a different delimiter for it
    # The "F" script expression tells sed to print the filenames where the expressions matched
    readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
    # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
    if [ ${#files_to_inspect[@]} -eq "0" ]
    then
        file_to_inspect="/etc/audit/rules.d/$KEY.rules"
        files_to_inspect=("$file_to_inspect")
        if [ ! -e "$file_to_inspect" ]
        then
            touch "$file_to_inspect"
            chmod 0640 "$file_to_inspect"
        fi
    fi

    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
    skip=1

    for audit_file in "${files_to_inspect[@]}"
    do
        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
        # i.e, collect rules that match:
        # * the action, list and arch, (2-nd argument)
        # * the other filters, (3-rd argument)
        # * the auid filters, (4-rd argument)
        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

        candidate_rules=()
        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
        for s_rule in "${similar_rules[@]}"
        do
            # Strip all the options and fields we know of,
            # than check if there was any field left over
            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
        done

        if [[ ${#syscall_a[@]} -ge 1 ]]
        then
            # Check if the syscall we want is present in any of the similar existing rules
            for rule in "${candidate_rules[@]}"
            do
                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
                all_syscalls_found=0
                for syscall in "${syscall_a[@]}"
                do
                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                       # A syscall was not found in the candidate rule
                       all_syscalls_found=1
                       }
                done
                if [[ $all_syscalls_found -eq 0 ]]
                then
                    # We found a rule with all the syscall(s) we want; skip rest of macro
                    skip=0
                    break
                fi

                # Check if this rule can be grouped with our target syscall and keep track of it
                for syscall_g in "${syscall_grouping[@]}"
                do
                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                    then
                        file_to_edit=${audit_file}
                        rule_to_edit=${rule}
                        rule_syscalls_to_edit=${rule_syscalls}
                    fi
                done
            done
        else
            # If there is any candidate rule, it is compliant; skip rest of macro
            if [ "${#candidate_rules[@]}" -gt 0 ]
            then
                skip=0
            fi
        fi

        if [ "$skip" -eq 0 ]; then
            break
        fi
    done

    if [ "$skip" -ne 0 ]; then
        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
        # At this point we know if we need to either append the $full_rule or group
        # the syscall together with an exsiting rule

        # Append the full_rule if it cannot be grouped to any other rule
        if [ -z ${rule_to_edit+x} ]
        then
            # Build full_rule while avoid adding double spaces when other_filters is empty
            if [ "${#syscall_a[@]}" -gt 0 ]
            then
                syscall_string=""
                for syscall in "${syscall_a[@]}"
                do
                    syscall_string+=" -S $syscall"
                done
            fi
            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
            echo "$full_rule" &gt;&gt; "$default_file"
            chmod o-rwx ${default_file}
        else
            # Check if the syscalls are declared as a comma separated list or
            # as multiple -S parameters
            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
            then
                delimiter=","
            else
                delimiter=" -S "
            fi
            new_grouped_syscalls="${rule_syscalls_to_edit}"
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
                   # A syscall was not found in the candidate rule
                   new_grouped_syscalls+="${delimiter}${syscall}"
                   }
            done

            # Group the syscall in the rule
            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
        fi
    fi
    unset syscall_a
    unset syscall_grouping
    unset syscall_string
    unset syscall
    unset file_to_edit
    unset rule_to_edit
    unset rule_syscalls_to_edit
    unset other_string
    unset auid_string
    unset full_rule

    # Load macro arguments into arrays
    read -a syscall_a &lt;&lt;&lt; $SYSCALL
    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

    # Create a list of audit *.rules files that should be inspected for presence and correctness
    # of a particular audit rule. The scheme is as follows:
    #
    # -----------------------------------------------------------------------------------------
    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
    # -----------------------------------------------------------------------------------------
    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
    # -----------------------------------------------------------------------------------------
    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
    # -----------------------------------------------------------------------------------------
    #
    files_to_inspect=()



    # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
    # file to the list of files to be inspected
    default_file="/etc/audit/audit.rules"
    files_to_inspect+=('/etc/audit/audit.rules' )

    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
    skip=1

    for audit_file in "${files_to_inspect[@]}"
    do
        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
        # i.e, collect rules that match:
        # * the action, list and arch, (2-nd argument)
        # * the other filters, (3-rd argument)
        # * the auid filters, (4-rd argument)
        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

        candidate_rules=()
        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
        for s_rule in "${similar_rules[@]}"
        do
            # Strip all the options and fields we know of,
            # than check if there was any field left over
            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
        done

        if [[ ${#syscall_a[@]} -ge 1 ]]
        then
            # Check if the syscall we want is present in any of the similar existing rules
            for rule in "${candidate_rules[@]}"
            do
                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
                all_syscalls_found=0
                for syscall in "${syscall_a[@]}"
                do
                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                       # A syscall was not found in the candidate rule
                       all_syscalls_found=1
                       }
                done
                if [[ $all_syscalls_found -eq 0 ]]
                then
                    # We found a rule with all the syscall(s) we want; skip rest of macro
                    skip=0
                    break
                fi

                # Check if this rule can be grouped with our target syscall and keep track of it
                for syscall_g in "${syscall_grouping[@]}"
                do
                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                    then
                        file_to_edit=${audit_file}
                        rule_to_edit=${rule}
                        rule_syscalls_to_edit=${rule_syscalls}
                    fi
                done
            done
        else
            # If there is any candidate rule, it is compliant; skip rest of macro
            if [ "${#candidate_rules[@]}" -gt 0 ]
            then
                skip=0
            fi
        fi

        if [ "$skip" -eq 0 ]; then
            break
        fi
    done

    if [ "$skip" -ne 0 ]; then
        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
        # At this point we know if we need to either append the $full_rule or group
        # the syscall together with an exsiting rule

        # Append the full_rule if it cannot be grouped to any other rule
        if [ -z ${rule_to_edit+x} ]
        then
            # Build full_rule while avoid adding double spaces when other_filters is empty
            if [ "${#syscall_a[@]}" -gt 0 ]
            then
                syscall_string=""
                for syscall in "${syscall_a[@]}"
                do
                    syscall_string+=" -S $syscall"
                done
            fi
            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
            echo "$full_rule" &gt;&gt; "$default_file"
            chmod o-rwx ${default_file}
        else
            # Check if the syscalls are declared as a comma separated list or
            # as multiple -S parameters
            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
            then
                delimiter=","
            else
                delimiter=" -S "
            fi
            new_grouped_syscalls="${rule_syscalls_to_edit}"
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
                   # A syscall was not found in the candidate rule
                   new_grouped_syscalls+="${delimiter}${syscall}"
                   }
            done

            # Group the syscall in the rule
            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
        fi
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161634976" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161634976"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83840-9
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_adjtimex
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set architecture for audit tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83840-9
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_adjtimex
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for adjtimex for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - adjtimex
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of adjtimex in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - adjtimex
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of adjtimex in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83840-9
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_adjtimex
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for adjtimex for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - adjtimex
      syscall_grouping:
      - adjtimex
      - settimeofday

  - name: Check existence of adjtimex in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - adjtimex
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of adjtimex in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83840-9
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_adjtimex
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161617488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161617488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit adjtimex</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit adjtimex</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit adjtimex</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit adjtimex</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="rule-detail-idm46361752087856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-83837-5 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Time Through clock_settime</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_clock_settime:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83837-5">CCE-83837-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if
desired, but is not required. See an example of multiple combined syscalls:
<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161516576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161516576"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
	OTHER_FILTERS="-F a0=0x0"
	AUID_FILTERS=""
	SYSCALL="clock_settime"
	KEY="time-change"
	SYSCALL_GROUPING=""
	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161501488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161501488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83837-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_clock_settime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set architecture for audit tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83837-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_clock_settime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for clock_settime for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - clock_settime
      syscall_grouping: []

  - name: Check existence of clock_settime in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
    set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
        key=time-change
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - clock_settime
      syscall_grouping: []

  - name: Check existence of clock_settime in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F a0=0x0 -F
        key=time-change
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83837-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_clock_settime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for clock_settime for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - clock_settime
      syscall_grouping: []

  - name: Check existence of clock_settime in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/time-change.rules
    set_fact: audit_file="/etc/audit/rules.d/time-change.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
        key=time-change
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - clock_settime
      syscall_grouping: []

  - name: Check existence of clock_settime in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* -F a0=0x0 (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( -F a0=0x0 (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F a0=0x0 -F
        key=time-change
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83837-5
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_clock_settime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161487360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161487360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit clock_settime</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit clock_settime</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit clock_settime</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit clock_settime</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="rule-detail-idm46361752083856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record attempts to alter time through settimeofdayxccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday mediumCCE-83836-7 </div><div class="panel-heading"><h3 class="panel-title">Record attempts to alter time through settimeofday</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_settimeofday:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83836-7">CCE-83836-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>:
<pre>-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules</pre>
If the system is 64 bit then also add the following line:
<pre>-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules</pre>
The -k option allows for the specification of a key in string form that can be
used for better reporting capability through ausearch and aureport. Multiple
system calls can be defined on the same line to save space if desired, but is
not required. See an example of multiple combined syscalls:
<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161386464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161386464"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
    # Create expected audit group and audit rule form for particular system call &amp; architecture
    if [ ${ARCH} = "b32" ]
    then
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
        # so append it to the list of time group system calls to be audited
        SYSCALL="adjtimex settimeofday stime"
        SYSCALL_GROUPING="adjtimex settimeofday stime"
    elif [ ${ARCH} = "b64" ]
    then
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
        # therefore don't add it to the list of time group system calls to be audited
        SYSCALL="adjtimex settimeofday"
        SYSCALL_GROUPING="adjtimex settimeofday"
    fi
    OTHER_FILTERS=""
    AUID_FILTERS=""
    KEY="audit_time_rules"
    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
    unset syscall_a
    unset syscall_grouping
    unset syscall_string
    unset syscall
    unset file_to_edit
    unset rule_to_edit
    unset rule_syscalls_to_edit
    unset other_string
    unset auid_string
    unset full_rule

    # Load macro arguments into arrays
    read -a syscall_a &lt;&lt;&lt; $SYSCALL
    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

    # Create a list of audit *.rules files that should be inspected for presence and correctness
    # of a particular audit rule. The scheme is as follows:
    #
    # -----------------------------------------------------------------------------------------
    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
    # -----------------------------------------------------------------------------------------
    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
    # -----------------------------------------------------------------------------------------
    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
    # -----------------------------------------------------------------------------------------
    #
    files_to_inspect=()


    # If audit tool is 'augenrules', then check if the audit rule is defined
    # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
    # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
    default_file="/etc/audit/rules.d/$KEY.rules"
    # As other_filters may include paths, lets use a different delimiter for it
    # The "F" script expression tells sed to print the filenames where the expressions matched
    readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
    # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
    if [ ${#files_to_inspect[@]} -eq "0" ]
    then
        file_to_inspect="/etc/audit/rules.d/$KEY.rules"
        files_to_inspect=("$file_to_inspect")
        if [ ! -e "$file_to_inspect" ]
        then
            touch "$file_to_inspect"
            chmod 0640 "$file_to_inspect"
        fi
    fi

    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
    skip=1

    for audit_file in "${files_to_inspect[@]}"
    do
        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
        # i.e, collect rules that match:
        # * the action, list and arch, (2-nd argument)
        # * the other filters, (3-rd argument)
        # * the auid filters, (4-rd argument)
        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

        candidate_rules=()
        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
        for s_rule in "${similar_rules[@]}"
        do
            # Strip all the options and fields we know of,
            # than check if there was any field left over
            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
        done

        if [[ ${#syscall_a[@]} -ge 1 ]]
        then
            # Check if the syscall we want is present in any of the similar existing rules
            for rule in "${candidate_rules[@]}"
            do
                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
                all_syscalls_found=0
                for syscall in "${syscall_a[@]}"
                do
                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                       # A syscall was not found in the candidate rule
                       all_syscalls_found=1
                       }
                done
                if [[ $all_syscalls_found -eq 0 ]]
                then
                    # We found a rule with all the syscall(s) we want; skip rest of macro
                    skip=0
                    break
                fi

                # Check if this rule can be grouped with our target syscall and keep track of it
                for syscall_g in "${syscall_grouping[@]}"
                do
                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                    then
                        file_to_edit=${audit_file}
                        rule_to_edit=${rule}
                        rule_syscalls_to_edit=${rule_syscalls}
                    fi
                done
            done
        else
            # If there is any candidate rule, it is compliant; skip rest of macro
            if [ "${#candidate_rules[@]}" -gt 0 ]
            then
                skip=0
            fi
        fi

        if [ "$skip" -eq 0 ]; then
            break
        fi
    done

    if [ "$skip" -ne 0 ]; then
        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
        # At this point we know if we need to either append the $full_rule or group
        # the syscall together with an exsiting rule

        # Append the full_rule if it cannot be grouped to any other rule
        if [ -z ${rule_to_edit+x} ]
        then
            # Build full_rule while avoid adding double spaces when other_filters is empty
            if [ "${#syscall_a[@]}" -gt 0 ]
            then
                syscall_string=""
                for syscall in "${syscall_a[@]}"
                do
                    syscall_string+=" -S $syscall"
                done
            fi
            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
            echo "$full_rule" &gt;&gt; "$default_file"
            chmod o-rwx ${default_file}
        else
            # Check if the syscalls are declared as a comma separated list or
            # as multiple -S parameters
            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
            then
                delimiter=","
            else
                delimiter=" -S "
            fi
            new_grouped_syscalls="${rule_syscalls_to_edit}"
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
                   # A syscall was not found in the candidate rule
                   new_grouped_syscalls+="${delimiter}${syscall}"
                   }
            done

            # Group the syscall in the rule
            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
        fi
    fi
    unset syscall_a
    unset syscall_grouping
    unset syscall_string
    unset syscall
    unset file_to_edit
    unset rule_to_edit
    unset rule_syscalls_to_edit
    unset other_string
    unset auid_string
    unset full_rule

    # Load macro arguments into arrays
    read -a syscall_a &lt;&lt;&lt; $SYSCALL
    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

    # Create a list of audit *.rules files that should be inspected for presence and correctness
    # of a particular audit rule. The scheme is as follows:
    #
    # -----------------------------------------------------------------------------------------
    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
    # -----------------------------------------------------------------------------------------
    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
    # -----------------------------------------------------------------------------------------
    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
    # -----------------------------------------------------------------------------------------
    #
    files_to_inspect=()



    # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
    # file to the list of files to be inspected
    default_file="/etc/audit/audit.rules"
    files_to_inspect+=('/etc/audit/audit.rules' )

    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
    skip=1

    for audit_file in "${files_to_inspect[@]}"
    do
        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
        # i.e, collect rules that match:
        # * the action, list and arch, (2-nd argument)
        # * the other filters, (3-rd argument)
        # * the auid filters, (4-rd argument)
        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

        candidate_rules=()
        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
        for s_rule in "${similar_rules[@]}"
        do
            # Strip all the options and fields we know of,
            # than check if there was any field left over
            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
        done

        if [[ ${#syscall_a[@]} -ge 1 ]]
        then
            # Check if the syscall we want is present in any of the similar existing rules
            for rule in "${candidate_rules[@]}"
            do
                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
                all_syscalls_found=0
                for syscall in "${syscall_a[@]}"
                do
                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                       # A syscall was not found in the candidate rule
                       all_syscalls_found=1
                       }
                done
                if [[ $all_syscalls_found -eq 0 ]]
                then
                    # We found a rule with all the syscall(s) we want; skip rest of macro
                    skip=0
                    break
                fi

                # Check if this rule can be grouped with our target syscall and keep track of it
                for syscall_g in "${syscall_grouping[@]}"
                do
                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                    then
                        file_to_edit=${audit_file}
                        rule_to_edit=${rule}
                        rule_syscalls_to_edit=${rule_syscalls}
                    fi
                done
            done
        else
            # If there is any candidate rule, it is compliant; skip rest of macro
            if [ "${#candidate_rules[@]}" -gt 0 ]
            then
                skip=0
            fi
        fi

        if [ "$skip" -eq 0 ]; then
            break
        fi
    done

    if [ "$skip" -ne 0 ]; then
        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
        # At this point we know if we need to either append the $full_rule or group
        # the syscall together with an exsiting rule

        # Append the full_rule if it cannot be grouped to any other rule
        if [ -z ${rule_to_edit+x} ]
        then
            # Build full_rule while avoid adding double spaces when other_filters is empty
            if [ "${#syscall_a[@]}" -gt 0 ]
            then
                syscall_string=""
                for syscall in "${syscall_a[@]}"
                do
                    syscall_string+=" -S $syscall"
                done
            fi
            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
            echo "$full_rule" &gt;&gt; "$default_file"
            chmod o-rwx ${default_file}
        else
            # Check if the syscalls are declared as a comma separated list or
            # as multiple -S parameters
            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
            then
                delimiter=","
            else
                delimiter=" -S "
            fi
            new_grouped_syscalls="${rule_syscalls_to_edit}"
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
                   # A syscall was not found in the candidate rule
                   new_grouped_syscalls+="${delimiter}${syscall}"
                   }
            done

            # Group the syscall in the rule
            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
        fi
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161366832" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161366832"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83836-7
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_settimeofday
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set architecture for audit tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83836-7
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_settimeofday
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for settimeofday for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - settimeofday
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of settimeofday in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - settimeofday
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of settimeofday in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83836-7
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_settimeofday
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for settimeofday for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - settimeofday
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of settimeofday in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - settimeofday
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of settimeofday in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83836-7
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_settimeofday
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161349200" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161349200"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit settimeofday</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit settimeofday</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit settimeofday</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit settimeofday</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_stime" id="rule-detail-idm46361752079856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-83835-9 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Time Through stime</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_stime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_stime:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83835-9">CCE-83835-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following line to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> for both 32 bit and 64 bit systems:
<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). If the
<code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to
read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file for both 32 bit and 64 bit systems:
<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
Since the 64 bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32 bit and 64 bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined system calls:
<pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161248752" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161248752"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
    # Create expected audit group and audit rule form for particular system call &amp; architecture
    if [ ${ARCH} = "b32" ]
    then
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
        # so append it to the list of time group system calls to be audited
        SYSCALL="adjtimex settimeofday stime"
        SYSCALL_GROUPING="adjtimex settimeofday stime"
    elif [ ${ARCH} = "b64" ]
    then
        ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
        # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
        # therefore don't add it to the list of time group system calls to be audited
        SYSCALL="adjtimex settimeofday"
        SYSCALL_GROUPING="adjtimex settimeofday"
    fi
    OTHER_FILTERS=""
    AUID_FILTERS=""
    KEY="audit_time_rules"
    # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
    unset syscall_a
    unset syscall_grouping
    unset syscall_string
    unset syscall
    unset file_to_edit
    unset rule_to_edit
    unset rule_syscalls_to_edit
    unset other_string
    unset auid_string
    unset full_rule

    # Load macro arguments into arrays
    read -a syscall_a &lt;&lt;&lt; $SYSCALL
    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

    # Create a list of audit *.rules files that should be inspected for presence and correctness
    # of a particular audit rule. The scheme is as follows:
    #
    # -----------------------------------------------------------------------------------------
    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
    # -----------------------------------------------------------------------------------------
    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
    # -----------------------------------------------------------------------------------------
    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
    # -----------------------------------------------------------------------------------------
    #
    files_to_inspect=()


    # If audit tool is 'augenrules', then check if the audit rule is defined
    # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
    # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
    default_file="/etc/audit/rules.d/$KEY.rules"
    # As other_filters may include paths, lets use a different delimiter for it
    # The "F" script expression tells sed to print the filenames where the expressions matched
    readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
    # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
    if [ ${#files_to_inspect[@]} -eq "0" ]
    then
        file_to_inspect="/etc/audit/rules.d/$KEY.rules"
        files_to_inspect=("$file_to_inspect")
        if [ ! -e "$file_to_inspect" ]
        then
            touch "$file_to_inspect"
            chmod 0640 "$file_to_inspect"
        fi
    fi

    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
    skip=1

    for audit_file in "${files_to_inspect[@]}"
    do
        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
        # i.e, collect rules that match:
        # * the action, list and arch, (2-nd argument)
        # * the other filters, (3-rd argument)
        # * the auid filters, (4-rd argument)
        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

        candidate_rules=()
        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
        for s_rule in "${similar_rules[@]}"
        do
            # Strip all the options and fields we know of,
            # than check if there was any field left over
            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
        done

        if [[ ${#syscall_a[@]} -ge 1 ]]
        then
            # Check if the syscall we want is present in any of the similar existing rules
            for rule in "${candidate_rules[@]}"
            do
                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
                all_syscalls_found=0
                for syscall in "${syscall_a[@]}"
                do
                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                       # A syscall was not found in the candidate rule
                       all_syscalls_found=1
                       }
                done
                if [[ $all_syscalls_found -eq 0 ]]
                then
                    # We found a rule with all the syscall(s) we want; skip rest of macro
                    skip=0
                    break
                fi

                # Check if this rule can be grouped with our target syscall and keep track of it
                for syscall_g in "${syscall_grouping[@]}"
                do
                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                    then
                        file_to_edit=${audit_file}
                        rule_to_edit=${rule}
                        rule_syscalls_to_edit=${rule_syscalls}
                    fi
                done
            done
        else
            # If there is any candidate rule, it is compliant; skip rest of macro
            if [ "${#candidate_rules[@]}" -gt 0 ]
            then
                skip=0
            fi
        fi

        if [ "$skip" -eq 0 ]; then
            break
        fi
    done

    if [ "$skip" -ne 0 ]; then
        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
        # At this point we know if we need to either append the $full_rule or group
        # the syscall together with an exsiting rule

        # Append the full_rule if it cannot be grouped to any other rule
        if [ -z ${rule_to_edit+x} ]
        then
            # Build full_rule while avoid adding double spaces when other_filters is empty
            if [ "${#syscall_a[@]}" -gt 0 ]
            then
                syscall_string=""
                for syscall in "${syscall_a[@]}"
                do
                    syscall_string+=" -S $syscall"
                done
            fi
            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
            echo "$full_rule" &gt;&gt; "$default_file"
            chmod o-rwx ${default_file}
        else
            # Check if the syscalls are declared as a comma separated list or
            # as multiple -S parameters
            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
            then
                delimiter=","
            else
                delimiter=" -S "
            fi
            new_grouped_syscalls="${rule_syscalls_to_edit}"
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
                   # A syscall was not found in the candidate rule
                   new_grouped_syscalls+="${delimiter}${syscall}"
                   }
            done

            # Group the syscall in the rule
            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
        fi
    fi
    unset syscall_a
    unset syscall_grouping
    unset syscall_string
    unset syscall
    unset file_to_edit
    unset rule_to_edit
    unset rule_syscalls_to_edit
    unset other_string
    unset auid_string
    unset full_rule

    # Load macro arguments into arrays
    read -a syscall_a &lt;&lt;&lt; $SYSCALL
    read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

    # Create a list of audit *.rules files that should be inspected for presence and correctness
    # of a particular audit rule. The scheme is as follows:
    #
    # -----------------------------------------------------------------------------------------
    #  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
    # -----------------------------------------------------------------------------------------
    #        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
    # -----------------------------------------------------------------------------------------
    #        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
    #        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
    # -----------------------------------------------------------------------------------------
    #
    files_to_inspect=()



    # If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
    # file to the list of files to be inspected
    default_file="/etc/audit/audit.rules"
    files_to_inspect+=('/etc/audit/audit.rules' )

    # After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
    skip=1

    for audit_file in "${files_to_inspect[@]}"
    do
        # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
        # i.e, collect rules that match:
        # * the action, list and arch, (2-nd argument)
        # * the other filters, (3-rd argument)
        # * the auid filters, (4-rd argument)
        readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

        candidate_rules=()
        # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
        for s_rule in "${similar_rules[@]}"
        do
            # Strip all the options and fields we know of,
            # than check if there was any field left over
            extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
            grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
        done

        if [[ ${#syscall_a[@]} -ge 1 ]]
        then
            # Check if the syscall we want is present in any of the similar existing rules
            for rule in "${candidate_rules[@]}"
            do
                rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
                all_syscalls_found=0
                for syscall in "${syscall_a[@]}"
                do
                    grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                       # A syscall was not found in the candidate rule
                       all_syscalls_found=1
                       }
                done
                if [[ $all_syscalls_found -eq 0 ]]
                then
                    # We found a rule with all the syscall(s) we want; skip rest of macro
                    skip=0
                    break
                fi

                # Check if this rule can be grouped with our target syscall and keep track of it
                for syscall_g in "${syscall_grouping[@]}"
                do
                    if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                    then
                        file_to_edit=${audit_file}
                        rule_to_edit=${rule}
                        rule_syscalls_to_edit=${rule_syscalls}
                    fi
                done
            done
        else
            # If there is any candidate rule, it is compliant; skip rest of macro
            if [ "${#candidate_rules[@]}" -gt 0 ]
            then
                skip=0
            fi
        fi

        if [ "$skip" -eq 0 ]; then
            break
        fi
    done

    if [ "$skip" -ne 0 ]; then
        # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
        # At this point we know if we need to either append the $full_rule or group
        # the syscall together with an exsiting rule

        # Append the full_rule if it cannot be grouped to any other rule
        if [ -z ${rule_to_edit+x} ]
        then
            # Build full_rule while avoid adding double spaces when other_filters is empty
            if [ "${#syscall_a[@]}" -gt 0 ]
            then
                syscall_string=""
                for syscall in "${syscall_a[@]}"
                do
                    syscall_string+=" -S $syscall"
                done
            fi
            other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
            auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
            full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
            echo "$full_rule" &gt;&gt; "$default_file"
            chmod o-rwx ${default_file}
        else
            # Check if the syscalls are declared as a comma separated list or
            # as multiple -S parameters
            if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
            then
                delimiter=","
            else
                delimiter=" -S "
            fi
            new_grouped_syscalls="${rule_syscalls_to_edit}"
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
                   # A syscall was not found in the candidate rule
                   new_grouped_syscalls+="${delimiter}${syscall}"
                   }
            done

            # Group the syscall in the rule
            sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
        fi
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161226688" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161226688"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83835-9
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_stime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Perform remediation of Audit rules for stime syscall for x86 platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - stime
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of stime in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_time_rules.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_time_rules.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - stime
      syscall_grouping:
      - adjtimex
      - settimeofday
      - stime

  - name: Check existence of stime in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_time_rules
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83835-9
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_stime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161213712" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161213712"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-syscall-stime.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">32 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit stime</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_stime_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_stime_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit stime</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_art_stime_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_art_stime_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" id="rule-detail-idm46361752075872"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-83839-1 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter the localtime File</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_time_watch_localtime:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83839-1">CCE-83839-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.4</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the default),
add the following line to a file with suffix <code>.rules</code> in the directory
<code>/etc/audit/rules.d</code>:
<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-w /etc/localtime -p wa -k audit_time_rules</pre>
The -k option allows for the specification of a key in string form that can
be used for better reporting capability through ausearch and aureport and
should always be used.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161114496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362161114496"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/localtime -p wa -k audit_time_rules" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_time_rules.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/localtime" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_time_rules.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_time_rules.rules"
    # If the audit_time_rules.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/localtime" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/localtime $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/localtime$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/localtime -p wa -k audit_time_rules" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161106272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161106272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/localtime already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key audit_time_rules
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)audit_time_rules$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/audit_time_rules.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/audit_time_rules.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/localtime in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/localtime -p wa -k audit_time_rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/localtime already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/localtime\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/localtime in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/localtime -p wa -k audit_time_rules
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83839-1
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.4.2.b
  - audit_rules_time_watch_localtime
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362161098192" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362161098192"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/localtime watch augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_artw_etc_localtime_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_artw_etc_localtime_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/localtime watch auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_artw_etc_localtime_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_artw_etc_localtime_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" id="rule-detail-idm46361752504752"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-83706-2 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify the System's Network Environment</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_networkconfig_modification:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83706-2">CCE-83706-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.5</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file, setting ARCH to either b32 or b64 as
appropriate for your system:
<pre>-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175993728" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175993728"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
	OTHER_FILTERS=""
	AUID_FILTERS=""
	SYSCALL="sethostname setdomainname"
	KEY="audit_rules_networkconfig_modification"
	SYSCALL_GROUPING="sethostname setdomainname"
	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()


# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
default_file="/etc/audit/rules.d/$KEY.rules"
# As other_filters may include paths, lets use a different delimiter for it
# The "F" script expression tells sed to print the filenames where the expressions matched
readarray -t files_to_inspect &lt; &lt;(sed -s -n -e "/^$ACTION_ARCH_FILTERS/!d" -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" -e "F" /etc/audit/rules.d/*.rules)
# Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
if [ ${#files_to_inspect[@]} -eq "0" ]
then
    file_to_inspect="/etc/audit/rules.d/$KEY.rules"
    files_to_inspect=("$file_to_inspect")
    if [ ! -e "$file_to_inspect" ]
    then
        touch "$file_to_inspect"
        chmod 0640 "$file_to_inspect"
    fi
fi

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
	unset syscall_a
unset syscall_grouping
unset syscall_string
unset syscall
unset file_to_edit
unset rule_to_edit
unset rule_syscalls_to_edit
unset other_string
unset auid_string
unset full_rule

# Load macro arguments into arrays
read -a syscall_a &lt;&lt;&lt; $SYSCALL
read -a syscall_grouping &lt;&lt;&lt; $SYSCALL_GROUPING

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
files_to_inspect=()



# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )

# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1

for audit_file in "${files_to_inspect[@]}"
do
    # Filter existing $audit_file rules' definitions to select those that satisfy the rule pattern,
    # i.e, collect rules that match:
    # * the action, list and arch, (2-nd argument)
    # * the other filters, (3-rd argument)
    # * the auid filters, (4-rd argument)
    readarray -t similar_rules &lt; &lt;(sed -e "/^$ACTION_ARCH_FILTERS/!d"  -e "\#$OTHER_FILTERS#!d" -e "/$AUID_FILTERS/!d" "$audit_file")

    candidate_rules=()
    # Filter out rules that have more fields then required. This will remove rules more specific than the required scope
    for s_rule in "${similar_rules[@]}"
    do
        # Strip all the options and fields we know of,
        # than check if there was any field left over
        extra_fields=$(sed -E -e "s/^$ACTION_ARCH_FILTERS//"  -e "s#$OTHER_FILTERS##" -e "s/$AUID_FILTERS//" -e "s/((:?-S [[:alnum:],]+)+)//g" -e "s/-F key=\w+|-k \w+//"&lt;&lt;&lt; "$s_rule")
        grep -q -- "-F" &lt;&lt;&lt; "$extra_fields" || candidate_rules+=("$s_rule")
    done

    if [[ ${#syscall_a[@]} -ge 1 ]]
    then
        # Check if the syscall we want is present in any of the similar existing rules
        for rule in "${candidate_rules[@]}"
        do
            rule_syscalls=$(echo "$rule" | grep -o -P '(-S [\w,]+)+' | xargs)
            all_syscalls_found=0
            for syscall in "${syscall_a[@]}"
            do
                grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "$rule_syscalls" || {
                   # A syscall was not found in the candidate rule
                   all_syscalls_found=1
                   }
            done
            if [[ $all_syscalls_found -eq 0 ]]
            then
                # We found a rule with all the syscall(s) we want; skip rest of macro
                skip=0
                break
            fi

            # Check if this rule can be grouped with our target syscall and keep track of it
            for syscall_g in "${syscall_grouping[@]}"
            do
                if grep -q -- "\b${syscall_g}\b" &lt;&lt;&lt; "$rule_syscalls"
                then
                    file_to_edit=${audit_file}
                    rule_to_edit=${rule}
                    rule_syscalls_to_edit=${rule_syscalls}
                fi
            done
        done
    else
        # If there is any candidate rule, it is compliant; skip rest of macro
        if [ "${#candidate_rules[@]}" -gt 0 ]
        then
            skip=0
        fi
    fi

    if [ "$skip" -eq 0 ]; then
        break
    fi
done

if [ "$skip" -ne 0 ]; then
    # We checked all rules that matched the expected resemblance pattern (action, arch &amp; auid)
    # At this point we know if we need to either append the $full_rule or group
    # the syscall together with an exsiting rule

    # Append the full_rule if it cannot be grouped to any other rule
    if [ -z ${rule_to_edit+x} ]
    then
        # Build full_rule while avoid adding double spaces when other_filters is empty
        if [ "${#syscall_a[@]}" -gt 0 ]
        then
            syscall_string=""
            for syscall in "${syscall_a[@]}"
            do
                syscall_string+=" -S $syscall"
            done
        fi
        other_string=$([[ $OTHER_FILTERS ]] &amp;&amp; echo " $OTHER_FILTERS") || /bin/true
        auid_string=$([[ $AUID_FILTERS ]] &amp;&amp; echo " $AUID_FILTERS") || /bin/true
        full_rule="$ACTION_ARCH_FILTERS${syscall_string}${other_string}${auid_string} -F key=$KEY" || /bin/true
        echo "$full_rule" &gt;&gt; "$default_file"
        chmod o-rwx ${default_file}
    else
        # Check if the syscalls are declared as a comma separated list or
        # as multiple -S parameters
        if grep -q -- "," &lt;&lt;&lt; "${rule_syscalls_to_edit}"
        then
            delimiter=","
        else
            delimiter=" -S "
        fi
        new_grouped_syscalls="${rule_syscalls_to_edit}"
        for syscall in "${syscall_a[@]}"
        do
            grep -q -- "\b${syscall}\b" &lt;&lt;&lt; "${rule_syscalls_to_edit}" || {
               # A syscall was not found in the candidate rule
               new_grouped_syscalls+="${delimiter}${syscall}"
               }
        done

        # Group the syscall in the rule
        sed -i -e "\#${rule_to_edit}#s#${rule_syscalls_to_edit}#${new_grouped_syscalls}#" "$file_to_edit"
    fi
fi
done

# Then perform the remediations for the watch rules
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/issue" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/issue$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/issue -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/issue.net" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/issue.net" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/issue.net $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/issue.net$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/hosts" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/hosts" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/hosts $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/hosts$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/hosts -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/sysconfig/network" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_networkconfig_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
    # If the audit_rules_networkconfig_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/sysconfig/network" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sysconfig/network $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/sysconfig/network$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175927120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175927120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set architecture for audit tasks
  set_fact:
    audit_arch: b64
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture == "aarch64" or ansible_architecture == "ppc64" or ansible_architecture
    == "ppc64le" or ansible_architecture == "s390x" or ansible_architecture == "x86_64"
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remediate audit rules for network configuration for 32bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - sethostname
      - setdomainname
      syscall_grouping:
      - sethostname
      - setdomainname

  - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - sethostname
      - setdomainname
      syscall_grouping:
      - sethostname
      - setdomainname

  - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b32(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b32)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b32 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remediate audit rules for network configuration for 64bit platform
  block:

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - sethostname
      - setdomainname
      syscall_grouping:
      - sethostname
      - setdomainname

  - name: Check existence of sethostname, setdomainname in /etc/audit/rules.d/
    find:
      paths: /etc/audit/rules.d
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: '*.rules'
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Reset syscalls found per file
    set_fact:
      syscalls_per_file: {}
      found_paths_dict: {}

  - name: Declare syscalls found per file
    set_fact: syscalls_per_file="{{ syscalls_per_file | combine( {item.files[0].path
      :[item.item] + syscalls_per_file.get(item.files[0].path, []) } ) }}"
    loop: '{{ find_command.results | selectattr(''matched'') | list }}'

  - name: Declare files where syscalls were found
    set_fact: found_paths="{{ find_command.results | map(attribute='files') | flatten
      | map(attribute='path') | list }}"

  - name: Count occurrences of syscalls in paths
    set_fact: found_paths_dict="{{ found_paths_dict | combine({ item:1+found_paths_dict.get(item,
      0) }) }}"
    loop: '{{ find_command.results | map(attribute=''files'') | flatten | map(attribute=''path'')
      | list }}'

  - name: Get path with most syscalls
    set_fact: audit_file="{{ (found_paths_dict | dict2items() | sort(attribute='value')
      | last).key }}"
    when: found_paths | length &gt;= 1

  - name: No file with syscall found, set path to /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
    set_fact: audit_file="/etc/audit/rules.d/audit_rules_networkconfig_modification.rules"
    when: found_paths | length == 0

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_per_file[audit_file]
        | join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0

  - name: Declare list of syscalls
    set_fact:
      syscalls:
      - sethostname
      - setdomainname
      syscall_grouping:
      - sethostname
      - setdomainname

  - name: Check existence of sethostname, setdomainname in /etc/audit/audit.rules
    find:
      paths: /etc/audit
      contains: -a always,exit -F arch=b64(( -S |,)\w+)*(( -S |,){{ item }})+(( -S
        |,)\w+)* (-k\s+|-F\s+key=)\S+\s*$
      patterns: audit.rules
    register: find_command
    loop: '{{ (syscall_grouping + syscalls) | unique }}'

  - name: Set path to /etc/audit/audit.rules
    set_fact: audit_file="/etc/audit/audit.rules"

  - name: Declare found syscalls
    set_fact: syscalls_found="{{ find_command.results | selectattr('matched') | map(attribute='item')
      | list }}"

  - name: Declare missing syscalls
    set_fact: missing_syscalls="{{ syscalls | difference(syscalls_found) }}"

  - name: Replace the audit rule in {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      regexp: (-a always,exit -F arch=b64)(?=.*(?:(?:-S |,)(?:{{ syscalls_found |
        join("|") }}))\b)((?:( -S |,)\w+)+)( (?:-k |-F key=)\w+)
      line: \1\2\3{{ missing_syscalls | join("\3") }}\4
      backrefs: true
      state: present
    when: syscalls_found | length &gt; 0 and missing_syscalls | length &gt; 0

  - name: Add the audit rule to {{ audit_file }}
    lineinfile:
      path: '{{ audit_file }}'
      line: -a always,exit -F arch=b64 -S {{ syscalls | join(',') }} -F key=audit_rules_networkconfig_modification
      create: true
      mode: o-rwx
      state: present
    when: syscalls_found | length == 0
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - audit_arch == "b64"
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/issue already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
    recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/issue in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/issue already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/issue\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/issue in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
    recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/issue.net in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/issue.net already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/issue.net\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/issue.net in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/hosts already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
    recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/hosts in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/hosts already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/hosts\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/hosts in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key audit_rules_networkconfig_modification
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)audit_rules_networkconfig_modification$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/audit_rules_networkconfig_modification.rules as the
    recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/audit_rules_networkconfig_modification.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/sysconfig/network in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/sysconfig/network already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/sysconfig/network\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/sysconfig/network in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83706-2
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.5
  - audit_rules_networkconfig_modification
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_issue_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue.net augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/hosts augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_hosts_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_hosts_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/sysconfig/network augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_issue_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/issue.net auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/hosts auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_hosts_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_hosts_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/sysconfig/network auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit sethostname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 32-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules 64-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 32-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl 64-bit setdomainname</span>Â 
        <span class="label label-default">oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_session_events" id="rule-detail-idm46361752500736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-83713-8 </div><div class="panel-heading"><h3 class="panel-title">Record Attempts to Alter Process and Session Initiation Information</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_session_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_session_events:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83713-8">CCE-83713-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.11</a></p></td></tr><tr><td>Description</td><td><div class="description">The audit system already collects process information for all
users and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code> in order to watch for attempted manual
edits of files involved in storing such process information:
<pre>-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file in order to watch for attempted manual
edits of files involved in storing such process information:
<pre>-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175791424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175791424"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/run/utmp -p wa -k session" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/run/utmp" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/session.rules"
    # If the session.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/run/utmp" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/run/utmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/run/utmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/run/utmp -p wa -k session" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/btmp -p wa -k session" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/btmp" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/session.rules"
    # If the session.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/btmp" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/btmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/btmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/btmp -p wa -k session" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/wtmp -p wa -k session" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/session.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/var/log/wtmp" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/session.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/session.rules"
    # If the session.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/var/log/wtmp" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/var/log/wtmp $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/var/log/wtmp$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /var/log/wtmp -p wa -k session" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175769888" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175769888"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key session
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)session$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/session.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/run/utmp in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /var/run/utmp -p wa -k session
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/run/utmp already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/var/run/utmp\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/run/utmp in /etc/audit/audit.rules
  lineinfile:
    line: -w /var/run/utmp -p wa -k session
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key session
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)session$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/session.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/btmp in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /var/log/btmp -p wa -k session
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/btmp already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/var/log/btmp\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/btmp in /etc/audit/audit.rules
  lineinfile:
    line: -w /var/log/btmp -p wa -k session
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key session
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)session$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use /etc/audit/rules.d/session.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/session.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/wtmp in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /var/log/wtmp -p wa -k session
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Check if watch rule for /var/log/wtmp already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/var/log/wtmp\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Add watch rule for /var/log/wtmp in /etc/audit/audit.rules
  lineinfile:
    line: -w /var/log/wtmp -p wa -k session
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83713-8
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.3
  - audit_rules_session_events
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175748528" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175748528"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-audit-session-events.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules utmp</span>Â 
        <span class="label label-default">oval:ssg-test_arse_utmp_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_utmp_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules btmp</span>Â 
        <span class="label label-default">oval:ssg-test_arse_btmp_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_btmp_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules wtmp</span>Â 
        <span class="label label-default">oval:ssg-test_arse_wtmp_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_wtmp_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl utmp</span>Â 
        <span class="label label-default">oval:ssg-test_arse_utmp_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_utmp_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl btmp</span>Â 
        <span class="label label-default">oval:ssg-test_arse_btmp_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_btmp_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl wtmp</span>Â 
        <span class="label label-default">oval:ssg-test_arse_wtmp_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_arse_wtmp_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" id="rule-detail-idm46361752488656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-83729-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure auditd Collects System Administrator Actions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_sysadmin_actions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83729-4">CCE-83729-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1.5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5.b</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</a>, <a href="">SRG-OS-000462-VMM-001840</a>, <a href="">SRG-OS-000471-VMM-001910</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.1.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">At a minimum, the audit system should collect administrator actions
for all users and root. If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the default),
add the following line to a file with suffix <code>.rules</code> in the directory
<code>/etc/audit/rules.d</code>:
<pre>-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions</pre>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following line to
<code>/etc/audit/audit.rules</code> file:
<pre>-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175443472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175443472"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/sudoers -p wa -k actions" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/sudoers" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/actions.rules"
    # If the actions.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/sudoers$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/sudoers -p wa -k actions" &gt;&gt; "$audit_rules_file"
    fi
done

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/sudoers.d/ -p wa -k actions" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/actions.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/sudoers.d/" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/actions.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/actions.rules"
    # If the actions.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/sudoers.d/" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/sudoers.d/ $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/sudoers.d/$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/sudoers.d/ -p wa -k actions" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175423344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175423344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key actions
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)actions$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/actions.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/sudoers in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/sudoers -p wa -k actions
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/sudoers already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/sudoers\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/sudoers in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/sudoers -p wa -k actions
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/rules.d/
  find:
    paths: /etc/audit/rules.d
    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
    patterns: '*.rules'
  register: find_existing_watch_rules_d
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Search /etc/audit/rules.d for other rules with specified key actions
  find:
    paths: /etc/audit/rules.d
    contains: ^.*(?:-F key=|-k\s+)actions$
    patterns: '*.rules'
  register: find_watch_key
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use /etc/audit/rules.d/actions.rules as the recipient for the rule
  set_fact:
    all_files:
    - /etc/audit/rules.d/actions.rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched == 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Use matched file as the recipient for the rule
  set_fact:
    all_files:
    - '{{ find_watch_key.files | map(attribute=''path'') | list | first }}'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_watch_key.matched is defined and find_watch_key.matched &gt; 0 and find_existing_watch_rules_d.matched
    is defined and find_existing_watch_rules_d.matched == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/rules.d/
  lineinfile:
    path: '{{ all_files[0] }}'
    line: -w /etc/sudoers.d/ -p wa -k actions
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_rules_d.matched is defined and find_existing_watch_rules_d.matched
    == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check if watch rule for /etc/sudoers.d/ already exists in /etc/audit/audit.rules
  find:
    paths: /etc/audit/
    contains: ^\s*-w\s+/etc/sudoers.d/\s+-p\s+wa(\s|$)+
    patterns: audit.rules
  register: find_existing_watch_audit_rules
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Add watch rule for /etc/sudoers.d/ in /etc/audit/audit.rules
  lineinfile:
    line: -w /etc/sudoers.d/ -p wa -k actions
    state: present
    dest: /etc/audit/audit.rules
    create: true
    mode: '0640'
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - find_existing_watch_audit_rules.matched is defined and find_existing_watch_audit_rules.matched
    == 0
  tags:
  - CCE-83729-4
  - CJIS-5.4.1.1
  - NIST-800-171-3.1.7
  - NIST-800-53-AC-2(7)(b)
  - NIST-800-53-AC-6(9)
  - NIST-800-53-AU-12(c)
  - NIST-800-53-AU-2(d)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.2.1.5
  - PCI-DSS-Req-10.2.2
  - PCI-DSS-Req-10.2.5.b
  - audit_rules_sysadmin_actions
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175400208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362175400208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }}
        mode: 0600
        path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl sudoers</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" id="rule-detail-idm46361752481952"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Informationxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification mediumCCE-83715-3 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_usergroup_modification:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:55+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83715-3">CCE-83715-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000018</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001403</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002130</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00090</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</a></p></td></tr><tr><td>Description</td><td><div class="description">If the <code>auditd</code> daemon is configured to use the
<code>augenrules</code> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <code>.rules</code> in the
directory <code>/etc/audit/rules.d</code>, in order to capture events that modify
account changes:
<pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre>
<br>
If the <code>auditd</code> daemon is configured to use the <code>auditctl</code>
utility to read audit rules during daemon startup, add the following lines to
<code>/etc/audit/audit.rules</code> file, in order to capture events that modify
account changes:
<pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule checks for multiple syscalls related to account changes;
it was written with DISA STIG in mind. Other policies should use a
separate rule for each syscall that needs to be checked. For example:
<ul><li><code>audit_rules_usergroup_modification_group</code></li><li><code>audit_rules_usergroup_modification_gshadow</code></li><li><code>audit_rules_usergroup_modification_passwd</code></li></ul></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362175204416" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362175204416"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/group" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/group" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/group $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/group$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/group -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/passwd" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/passwd" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/passwd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/passwd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/passwd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/gshadow" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/gshadow" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/gshadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/gshadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/gshadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/shadow" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/shadow" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/shadow $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/shadow$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/shadow -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()


# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
files_to_inspect+=('/etc/audit/audit.rules')

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done
# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules	| Rule already defined	|  Audit rules file to inspect	  |
# -----------------------------------------------------------------------------------------
#	auditctl		|     Doesn't matter	|  /etc/audit/audit.rules	  |
# -----------------------------------------------------------------------------------------
# 	augenrules		|          Yes		|  /etc/audit/rules.d/*.rules	  |
# 	augenrules		|          No		|  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
files_to_inspect=()

# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' to list of files for inspection.
readarray -t matches &lt; &lt;(grep -HP "[\s]*-w[\s]+/etc/security/opasswd" /etc/audit/rules.d/*.rules)

# For each of the matched entries
for match in "${matches[@]}"
do
    # Extract filepath from the match
    rulesd_audit_file=$(echo $match | cut -f1 -d ':')
    # Append that path into list of files for inspection
    files_to_inspect+=("$rulesd_audit_file")
done
# Case when particular audit rule isn't defined yet
if [ "${#files_to_inspect[@]}" -eq "0" ]
then
    # Append '/etc/audit/rules.d/audit_rules_usergroup_modification.rules' into list of files for inspection
    key_rule_file="/etc/audit/rules.d/audit_rules_usergroup_modification.rules"
    # If the audit_rules_usergroup_modification.rules file doesn't exist yet, create it with correct permissions
    if [ ! -e "$key_rule_file" ]
    then
        touch "$key_rule_file"
        chmod 0640 "$key_rule_file"
    fi
    files_to_inspect+=("$key_rule_file")
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do
    # Check if audit watch file system object rule for given path already present
    if grep -q -P -- "^[\s]*-w[\s]+/etc/security/opasswd" "$audit_rules_file"
    then
        # Rule is found =&gt; verify yet if existing rule definition contains
        # all of the required access type bits

        # Define BRE whitespace class shortcut
        sp="[[:space:]]"
        # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
        current_access_bits=$(sed -ne "s#$sp*-w$sp\+/etc/security/opasswd $sp\+-p$sp\+\([rxwa]\{1,4\}\).*#\1#p" "$audit_rules_file")
        # Split required access bits string into characters array
        # (to check bit's presence for one bit at a time)
        for access_bit in $(echo "wa" | grep -o .)
        do
            # For each from the required access bits (e.g. 'w', 'a') check
            # if they are already present in current access bits for rule.
            # If not, append that bit at the end
            if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
            then
                # Concatenate the existing mask with the missing bit
                current_access_bits="$current_access_bits$access_bit"
            fi
        done
        # Propagate the updated rule's access bits (original + the required
        # ones) back into the /etc/audit/audit.rules file for that rule
        sed -i "s#\($sp*-w$sp\+/etc/security/opasswd$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)#\1$current_access_bits\3#" "$audit_rules_file"
    else
        # Rule isn't present yet. Append it at the end of $audit_rules_file file
        # with proper key

        echo "-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification" &gt;&gt; "$audit_rules_file"
    fi
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/group</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_group_augen:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_group_augen:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/passwd</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_augen:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_augen:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/gshadow</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_augen:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_augen:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/shadow</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_augen:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_augen:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules /etc/security/opasswd</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_augen:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_augen:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/group</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_group_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_group_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/passwd</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/gshadow</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/shadow</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit /etc/security/opasswd</span>Â 
        <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-detail-idm46361752036624"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-83685-8 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd flush priority</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_flush</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_data_retention_flush:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83685-8">CCE-83685-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001576</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>auditd</code> service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in <code>/etc/audit/auditd.conf</code> to ensure that audit event data is
fully synchronized with the log files on the disk:
<pre>flush = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_flush">incremental_async</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Audit data should be synchronously written to disk to ensure
log integrity. These parameters assure that all audit event data is fully
synchronized with the log files on the disk.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">test the value of flush parameter in /etc/audit/auditd.conf</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_data_retention_flush:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>flush = INCREMENTAL_ASYNC</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_freq" id="rule-detail-idm46361752012816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-83704-7 </div><div class="panel-heading"><h3 class="panel-title">Set number of records to cause an explicit flush to audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_freq</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_freq:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83704-7">CCE-83704-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to issue an explicit flush to disk command
after writing <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_freq">50</abbr> records, set <code>freq</code> to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_freq">50</abbr></code>
in <code>/etc/audit/auditd.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>freq</code> isn't set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_freq">50</abbr></code>, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of freq setting in the /etc/audit/auditd.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_freq:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>freq = 50</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_local_events" id="rule-detail-idm46361752008848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-83682-5 </div><div class="panel-heading"><h3 class="panel-title">Include Local Events in Audit Logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_local_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_local_events:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83682-5">CCE-83682-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to include local events in Audit logs, set
<code>local_events</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>.
This is the default setting.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>local_events</code> isn't set to <code>yes</code> only events from
network will be aggregated.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of local_events setting in the /etc/audit/auditd.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_local_events:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>local_events = yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_log_format" id="rule-detail-idm46361752004880"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format lowCCE-83696-5 </div><div class="panel-heading"><h3 class="panel-title">Resolve information before writing to audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_log_format</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_log_format:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83696-5">CCE-83696-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set <code>log_format</code> to <code>ENRICHED</code>
in <code>/etc/audit/auditd.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>log_format</code> isn't set to <code>ENRICHED</code>, the
audit records will be stored in a format exactly as the kernel sends them.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of log_format setting in the /etc/audit/auditd.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_log_format:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>log_format = ENRICHED</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_name_format" id="rule-detail-idm46361752000912"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-83686-6 </div><div class="panel-heading"><h3 class="panel-title">Set hostname as computer node name in audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_name_format</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_name_format:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83686-6">CCE-83686-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set <code>name_format</code> to <code>hostname</code>
in <code>/etc/audit/auditd.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If option <code>name_format</code> is left at its default value of
<code>none</code>, audit events from different computers may be hard
to distinguish.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159598848" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362159598848"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; rpm --quiet -q audit; then

if [ -e "/etc/audit/auditd.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*name_format\s*=\s*/Id" "/etc/audit/auditd.conf"
else
    touch "/etc/audit/auditd.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/audit/auditd.conf"

cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "name_format = hostname" &gt;&gt; "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159595760" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159595760"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83686-6
  - NIST-800-53-AU-3
  - NIST-800-53-CM-6
  - auditd_name_format
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set hostname as computer node name in audit logs
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/audit/auditd.conf
      create: false
      regexp: (?i)^\s*name_format\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/audit/auditd.conf
    lineinfile:
      path: /etc/audit/auditd.conf
      create: false
      regexp: (?i)^\s*name_format\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found &gt; 1

  - name: Insert correct line to /etc/audit/auditd.conf
    lineinfile:
      path: /etc/audit/auditd.conf
      create: true
      regexp: (?i)^\s*name_format\s*=\s*
      line: name_format = hostname
      state: present
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83686-6
  - NIST-800-53-AU-3
  - NIST-800-53-CM-6
  - auditd_name_format
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159592176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159592176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
        mode: 0640
        path: /etc/audit/auditd.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of name_format setting in the /etc/audit/auditd.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_name_format:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>name_format = NONE</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_write_logs" id="rule-detail-idm46361751994240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-83705-4 </div><div class="panel-heading"><h3 class="panel-title">Write Audit Logs to the Disk</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_write_logs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_write_logs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83705-4">CCE-83705-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_STG.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure Audit daemon to write Audit logs to the disk, set
<code>write_logs</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>.
This is the default setting.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If <code>write_logs</code> isn't set to <code>yes</code>, the Audit logs will
not be written to the disk.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of write_logs setting in the /etc/audit/auditd.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_write_logs:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>write_logs = yes</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of write_logs setting in the /etc/audit/auditd.conf file</span>Â 
        <span class="label label-default">oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>write_logs = </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_access_failed" id="rule-detail-idm46361751990272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditing of unsuccessful file accessesxccdf_org.ssgproject.content_rule_audit_access_failed mediumCCE-83672-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditing of unsuccessful file accesses</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_access_failed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_access_failed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83672-6">CCE-83672-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that unsuccessful attempts to access a file are audited.

The following rules configure audit as described above:
<pre>## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access    </pre>

Load new Audit rules into kernel by running:
<pre>augenrules --load</pre>

Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159524896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362159524896"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) &amp;&amp; ! ( grep -q ppc64le /proc/sys/kernel/osrelease ) ); }; then

cat &lt;&lt; 'EOF' &gt; /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
EOF

chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules

augenrules --load

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159521648" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159521648"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
    content: |
      ## Unsuccessful file access (any other opens) This has to go last.
      -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
      -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
      -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
      -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
    force: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
    "ppc64le" ) )
  tags:
  - CCE-83672-6
  - NIST-800-53-AU-2(a)
  - audit_access_failed
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remove any permissions from other group
  file:
    path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
    mode: o-rwx
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
    "ppc64le" ) )
  tags:
  - CCE-83672-6
  - NIST-800-53-AU-2(a)
  - audit_access_failed
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159514320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159514320"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules is exactly what is defined in rule description</span>Â 
        <span class="label label-default">oval:ssg-audit_access_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-audit_access_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules</td><td>^.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_audit_access_success" id="rule-detail-idm46361751980896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditing of successful file accessesxccdf_org.ssgproject.content_rule_audit_access_success mediumCCE-83653-6 </div><div class="panel-heading"><h3 class="panel-title">Configure auditing of successful file accesses</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_access_success</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_access_success:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83653-6">CCE-83653-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that successful attempts to access a file are audited.

The following rules configure audit as described above:
<pre>## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access    </pre>

Load new Audit rules into kernel by running:
<pre>augenrules --load</pre>

Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Auditing of successful attempts to access a file helps in investigation of activities performed on the system.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159433904" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362159433904"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ] &amp;&amp; { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) &amp;&amp; ! ( grep -q ppc64le /proc/sys/kernel/osrelease ) ); }; then

cat &lt;&lt; 'EOF' &gt; /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
EOF

chmod o-rwx /etc/audit/rules.d/30-ospp-v42-3-access-success.rules

augenrules --load

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159430544" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159430544"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Put contents into /etc/audit/rules.d/30-ospp-v42-3-access-success.rules according
    to policy
  copy:
    dest: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
    content: |
      ## Successful file access (any other opens) This has to go last.
      ## These next two are likely to result in a whole lot of events
      -a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
      -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
    force: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
    "ppc64le" ) )
  tags:
  - CCE-83653-6
  - NIST-800-53-AU-2(a)
  - audit_access_success
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Remove any permissions from other group
  file:
    path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
    mode: o-rwx
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ( not ( ansible_architecture == "aarch64" ) and not ( ansible_architecture ==
    "ppc64le" ) )
  tags:
  - CCE-83653-6
  - NIST-800-53-AU-2(a)
  - audit_access_success
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362159424960" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362159424960"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access
        mode: 0600
        path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-success.rules is exactly what is defined in rule description</span>Â 
        <span class="label label-default">oval:ssg-audit_access_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-audit_access_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>/etc/audit/rules.d/30-ospp-v42-3-access-success.rules</td><td>^.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" id="rule-detail-idm46361751554064"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure cron Is Logging To Rsyslogxccdf_org.ssgproject.content_rule_rsyslog_cron_logging mediumCCE-83994-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure cron Is Logging To Rsyslog</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_cron_logging</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_cron_logging:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83994-4">CCE-83994-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Cron logging must be implemented to spot intrusions or trace
cron job status. If <code>cron</code> is not logging to <code>rsyslog</code>, it
can be implemented by adding the following to the <i>RULES</i> section of
<code>/etc/rsyslog.conf</code>:
<pre>cron.*                                                  /var/log/cron</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Cron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">cron is configured in /etc/rsyslog.conf</span>Â 
        <span class="label label-default">oval:ssg-test_cron_logging_rsyslog:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>cron.*                                                  /var/log/cron

# Everybody gets emergency messages</td></tr></tbody></table><h4><span class="label label-primary">cron is configured in /etc/rsyslog.d</span>Â 
        <span class="label label-default">oval:ssg-test_cron_logging_rsyslog_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_cron_logging_rsyslog_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.d</td><td>^.*$</td><td>^[\s]*cron\.\*[\s]+/var/log/cron\s*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" id="rule-detail-idm46361751541920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership mediumCCE-83834-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate Group</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_groupownership:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83834-2">CCE-83834-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The group-owner of all log files written by
<code>rsyslog</code> should be

<code>root</code>.

These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's group owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
If the owner is not

<code>root</code>,

run the following command to
correct this:

<pre>$ sudo chgrp root <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files have appropriate groupowner set</span>Â 
        <span class="label label-default">oval:ssg-test_rsyslog_files_groupownership:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>1714</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cloud-init.log</td><td>regular</td><td>0</td><td>0</td><td>328087</td><td><code>rw-r--r--Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>18273</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>438556</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" id="rule-detail-idm46361751537920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership mediumCCE-83946-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure Log Files Are Owned By Appropriate User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_ownership</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_ownership:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83946-4">CCE-83946-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The owner of all log files written by
<code>rsyslog</code> should be

<code>root</code>.

These log files are determined by the second part of each Rule line in
<code>/etc/rsyslog.conf</code> and typically all appear in <code>/var/log</code>.
For each log file <i>LOGFILE</i> referenced in <code>/etc/rsyslog.conf</code>,
run the following command to inspect the file's owner:
<pre>$ ls -l <i>LOGFILE</i></pre>
If the owner is not

<code>root</code>,

run the following command to
correct this:

<pre>$ sudo chown root <i>LOGFILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The log files generated by rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Log files should be
protected from unauthorized access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files have appropriate owner set</span>Â 
        <span class="label label-default">oval:ssg-test_rsyslog_files_ownership:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>1714</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cloud-init.log</td><td>regular</td><td>0</td><td>0</td><td>328087</td><td><code>rw-r--r--Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>18273</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>438556</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" id="rule-detail-idm46361751533936"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-83689-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure System Log Files Have Correct Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_files_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_files_permissions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83689-0">CCE-83689-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The file permissions for all log files written by <code>rsyslog</code> should
be set to 600, or more restrictive. These log files are determined by the
second part of each Rule line in <code>/etc/rsyslog.conf</code> and typically
all appear in <code>/var/log</code>. For each log file <i>LOGFILE</i>
referenced in <code>/etc/rsyslog.conf</code>, run the following command to
inspect the file's permissions:
<pre>$ ls -l <i>LOGFILE</i></pre>
If the permissions are not 600 or more restrictive, run the following
command to correct this:
<pre>$ sudo chmod 600 <i>LOGFILE</i></pre>"</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Log files can contain valuable information regarding system
configuration. If the system log files are not protected unauthorized
users could change the logged data, eliminating their forensic value.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155750080" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155750080"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# List of log file paths to be inspected for correct permissions
# * Primarily inspect log file paths listed in /etc/rsyslog.conf
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
#   (store the result into array for the case there's shell glob used as value of IncludeConfig)
readarray -t OLD_INC &lt; &lt;(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
readarray -t RSYSLOG_INCLUDE_CONFIG &lt; &lt;(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
readarray -t NEW_INC &lt; &lt;(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
readarray -t RSYSLOG_INCLUDE &lt; &lt;(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)

# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS

# Array to hold all rsyslog config entries
RSYSLOG_CONFIGS=()
RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")

# Get full list of files to be checked
# RSYSLOG_CONFIGS may contain globs such as
# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
RSYSLOG_CONFIG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
	# If directory, rsyslog will search for config files in recursively.
	# However, files in hidden sub-directories or hidden files will be ignored.
	if [ -d "${ENTRY}" ]
	then
		readarray -t FINDOUT &lt; &lt;(find "${ENTRY}" -not -path '*/.*' -type f)
		RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
	elif [ -f "${ENTRY}" ]
	then
		RSYSLOG_CONFIG_FILES+=("${ENTRY}")
	else
		echo "Invalid include object: ${ENTRY}"
	fi
done

# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
	# From each of these files extract just particular log file path(s), thus:
	# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
	# * Ignore empty lines,
	# * Strip quotes and closing brackets from paths.
	# * Ignore paths that match /dev|/etc.*\.conf, as those are paths, but likely not log files
	# * From the remaining valid rows select only fields constituting a log file path
	# Text file column is understood to represent a log file path if and only if all of the
	# following are met:
	# * it contains at least one slash '/' character,
	# * it is preceded by space
	# * it doesn't contain space (' '), colon (':'), and semicolon (';') characters
	# Search log file for path(s) only in case it exists!
	if [[ -f "${LOG_FILE}" ]]
	then
		NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
		LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' &lt;&lt;&lt; "${NORMALIZED_CONFIG_FILE_LINES}")
		FILTERED_PATHS=$(awk '{if(NF&gt;=2&amp;&amp;($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' &lt;&lt;&lt; "${LINES_WITH_PATHS}")
		CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" &lt;&lt;&lt; "${FILTERED_PATHS}")
		MATCHED_ITEMS=$(sed -e "/^$/d" &lt;&lt;&lt; "${CLEANED_PATHS}")
		# Since above sed command might return more than one item (delimited by newline), split
		# the particular matches entries into new array specific for this log file
		readarray -t ARRAY_FOR_LOG_FILE &lt;&lt;&lt; "$MATCHED_ITEMS"
		# Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with
		# items from newly created array for this log file
		LOG_FILE_PATHS+=("${ARRAY_FOR_LOG_FILE[@]}")
		# Delete the temporary array
		unset ARRAY_FOR_LOG_FILE
	fi
done

# Check for RainerScript action log format which might be also multiline so grep regex is a bit
# curly:
# extract possibly multiline action omfile expressions
# extract File="logfile" expression
# match only "logfile" expression
for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
	ACTION_OMFILE_LINES=$(grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" "${LOG_FILE}")
	OMFILE_LINES=$(echo "${ACTION_OMFILE_LINES}"| grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)")
	LOG_FILE_PATHS+=("$(echo "${OMFILE_LINES}"| grep -oE "\"([/[:alnum:][:punct:]]*)\""|tr -d "\"")")
done

# Ensure the correct attribute if file exists
FILE_CMD="chmod"
for LOG_FILE_PATH in "${LOG_FILE_PATHS[@]}"
do
	# Sanity check - if particular $LOG_FILE_PATH is empty string, skip it from further processing
	if [ -z "$LOG_FILE_PATH" ]
	then
		continue
	fi
	$FILE_CMD "0600" "$LOG_FILE_PATH"
done

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155739024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155739024"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Ensure System Log Files Have Correct Permissions - Set rsyslog logfile configuration
    facts
  ansible.builtin.set_fact:
    rsyslog_etc_config: /etc/rsyslog.conf
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - Get IncludeConfig directive
  ansible.builtin.shell: |
    set -o pipefail
    grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
  register: rsyslog_old_inc
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - Get include files directives
  ansible.builtin.shell: |
    set -o pipefail
    awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' {{ rsyslog_etc_config }} || true
  register: rsyslog_new_inc
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - Aggregate rsyslog includes
  ansible.builtin.set_fact:
    include_config_output: '{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines
      }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - List all config files
  ansible.builtin.find:
    paths: '{{ include_config_output | list | map(''dirname'') }}'
    patterns: '{{ include_config_output | list | map(''basename'') }}'
    hidden: false
    follow: true
  register: rsyslog_config_files
  failed_when: false
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - Extract log files old format
  ansible.builtin.shell: |
    set -o pipefail
    grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }}  |awk '{print $NF}'|sed -e 's/^-//' || true
  loop: '{{ rsyslog_config_files.files|map(attribute=''path'')|list|flatten|unique
    + [ rsyslog_etc_config ] }}'
  register: log_files_old
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - Extract log files new format
  ansible.builtin.shell: |
    set -o pipefail
    grep -ozP "action\s*\(\s*type\s*=\s*\"omfile\"[^\)]*\)" {{ item }} | grep -aoP "File\s*=\s*\"([/[:alnum:][:punct:]]*)\"\s*\)"|grep -oE "\"([/[:alnum:][:punct:]]*)\"" |tr -d "\""|| true
  loop: '{{ rsyslog_config_files.files|map(attribute=''path'')|list|flatten|unique
    + [ rsyslog_etc_config ] }}'
  register: log_files_new
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions - Sum all log files found
  ansible.builtin.set_fact:
    log_files: '{{ log_files_new.results|map(attribute=''stdout_lines'')|list|flatten|unique
      + log_files_old.results|map(attribute=''stdout_lines'')|list|flatten|unique  }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions

- name: Ensure System Log Files Have Correct Permissions -Setup log files attribute
  ansible.builtin.file:
    path: '{{ item }}'
    mode: 384
    state: file
  loop: '{{ log_files | list | flatten | unique }}'
  failed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83689-0
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-10.5.1
  - PCI-DSS-Req-10.5.2
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_files_permissions
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">System log files have appropriate permissions set</span>Â 
        <span class="label label-default">oval:ssg-test_rsyslog_files_permissions:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/var/log/cron</td><td>regular</td><td>0</td><td>0</td><td>1714</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/spooler</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/cloud-init.log</td><td>regular</td><td>0</td><td>0</td><td>328087</td><td><code>rw-r--r--Â </code></td></tr><tr><td>/var/log/secure</td><td>regular</td><td>0</td><td>0</td><td>18273</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/maillog</td><td>regular</td><td>0</td><td>0</td><td>0</td><td><code>rw-------Â </code></td></tr><tr><td>/var/log/messages</td><td>regular</td><td>0</td><td>0</td><td>438556</td><td><code>rw-------Â </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_nolisten" id="rule-detail-idm46361751503424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Serverxccdf_org.ssgproject.content_rule_rsyslog_nolisten mediumCCE-83995-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_nolisten</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_nolisten:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83995-1">CCE-83995-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.7</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsyslog</code> daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
<i>not</i> found in <code>/etc/rsyslog.conf</code>:
<pre>$ModLoad imtcp
$InputTCPServerRun <i>port</i>
$ModLoad imudp
$UDPServerRun <i>port</i>
$ModLoad imrelp
$InputRELPServerRun <i>port</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Any process which receives messages from the network incurs some risk
of receiving malicious messages. This risk can be eliminated for
rsyslog by configuring it not to listen on the network.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun | $ModLoad imtcp | $ModLoad imudp | $ModLoad imrelp</span>Â 
        <span class="label label-default">oval:ssg-test_rsyslog_nolisten:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_rsyslog_nolisten:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>^[\s]*\$((?:Input(?:TCP|RELP)|UDP)ServerRun|ModLoad[\s]+(imtcp|imudp|imrelp))</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" id="rule-detail-idm46361751499456"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Logs Sent To Remote Hostxccdf_org.ssgproject.content_rule_rsyslog_remote_loghost mediumCCE-83990-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure Logs Sent To Remote Host</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_loghost:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83990-2">CCE-83990-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R7)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R43)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001348</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000136</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="">SRG-OS-000032-VMM-000130</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.6</a></p></td></tr><tr><td>Description</td><td><div class="description">To configure rsyslog to send logs to a remote log server,
open <code>/etc/rsyslog.conf</code> and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting <code><i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></code> appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
<br>
To use UDP for log message delivery:
<pre>*.* @<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre>
<br>
To use TCP for log message delivery:
<pre>*.* @@<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre>
<br>
To use RELP for log message delivery:
<pre>*.* :omrelp:<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr></i></pre>
<br>
There must be a resolvable DNS CNAME or Alias record set to "<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>" for logs to be sent correctly to the centralized logging utility.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into <code>/etc/rsyslog.conf</code>
can look like the following lines:
<pre>
$ActionQueueType LinkedList
$ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
</pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155248272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155248272"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

rsyslog_remote_loghost_address='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>'


# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/rsyslog.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^\*\.\*")

# shellcheck disable=SC2059
printf -v formatted_output "%s %s" "$stripped_key" "@@$rsyslog_remote_loghost_address"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^\*\.\*\\&gt;" "/etc/rsyslog.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^\*\.\*\\&gt;.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83990-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/rsyslog.conf" &gt;&gt; "/etc/rsyslog.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/rsyslog.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155244496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155244496"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
  set_fact:
    rsyslog_remote_loghost_address: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>
  tags:
    - always

- name: Set rsyslog remote loghost
  lineinfile:
    dest: /etc/rsyslog.conf
    regexp: ^\*\.\*
    line: '*.* @@{{ rsyslog_remote_loghost_address }}'
    create: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83990-2
  - NIST-800-53-AU-4(1)
  - NIST-800-53-AU-9(2)
  - NIST-800-53-CM-6(a)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - rsyslog_remote_loghost
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â 
        <span class="label label-default">oval:ssg-test_remote_rsyslog_conf:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_remote_loghost_rsyslog_conf:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.conf</td><td>^\*\.\*[\s]+(?:@|\:omrelp\:)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Ensures system configured to export logs to remote host</span>Â 
        <span class="label label-default">oval:ssg-test_remote_rsyslog_d:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_remote_loghost_rsyslog_d:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/rsyslog.d</td><td>^.+\.conf$</td><td>^\*\.\*[\s]+(?:@|\:omrelp\:)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" id="rule-detail-idm46361751495472"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure TLS for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls mediumCCE-83991-0 </div><div class="panel-heading"><h3 class="panel-title">Configure TLS for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83991-0">CCE-83991-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_X509_EXT.1.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure <code>rsyslog</code> to use Transport Layer
Security (TLS) support for logging to remote server
for the Forwarding Output Module in <code>/etc/rsyslog.conf</code>
using action. You can use the following command:
<pre>echo 'action(type="omfwd" protocol="tcp" Target="&lt;remote system&gt;" port="6514"
    StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' &gt;&gt; /etc/rsyslog.conf
</pre>
Replace the <code>&lt;remote system&gt;</code> in the above command with an IP address or a host name of the remote logging server.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">For protection of data being logged, the connection to the
remote logging server needs to be authenticated and encrypted.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155224224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155224224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

rsyslog_remote_loghost_address='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>'

params_to_add_if_missing=("protocol" "target" "port" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
values_to_add_if_missing=("tcp" "$rsyslog_remote_loghost_address" "6514" "gtls" "1" "x509/name" "on")
params_to_replace_if_wrong_value=("protocol" "StreamDriver" "StreamDriverMode" "StreamDriverAuthMode" "streamdriver.CheckExtendedKeyPurpose")
values_to_replace_if_wrong_value=("tcp" "gtls" "1" "x509/name" "on")

files_containing_omfwd=("$(grep -ilE '^[^#]*\s*action\s*\(\s*type\s*=\s*"omfwd".*' /etc/rsyslog.conf /etc/rsyslog.d/*.conf)")
if [ -n "${files_containing_omfwd[*]}" ]; then
    for file in "${files_containing_omfwd[@]}"; do
        for ((i=0; i&lt;${#params_to_replace_if_wrong_value[@]}; i++)); do
            sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?)${params_to_replace_if_wrong_value[$i]}\s*=\s*[\"]\S*[\"](.*\))|\1${params_to_replace_if_wrong_value[$i]}=\"${values_to_replace_if_wrong_value[$i]}\"\2|gI" "$file"
        done
        for ((i=0; i&lt;${#params_to_add_if_missing[@]}; i++)); do
            if ! grep -qPzi "(?s)\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"].*?${params_to_add_if_missing[$i]}.*?\).*" "$file"; then
                sed -i -E -e 'H;$!d;x;s/^\n//' -e "s|(\s*action\s*\(\s*type\s*=\s*[\"]omfwd[\"])|\1\n${params_to_add_if_missing[$i]}=\"${values_to_add_if_missing[$i]}\"|gI" "$file"
            fi
        done
    done
else
    echo "action(type=\"omfwd\" protocol=\"tcp\" Target=\"$rsyslog_remote_loghost_address\" port=\"6514\" StreamDriver=\"gtls\" StreamDriverMode=\"1\" StreamDriverAuthMode=\"x509/name\" streamdriver.CheckExtendedKeyPurpose=\"on\")"  &gt;&gt; /etc/rsyslog.conf
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155217120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155217120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: XCCDF Value rsyslog_remote_loghost_address # promote to variable
  set_fact:
    rsyslog_remote_loghost_address: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address">logcollector</abbr>
  tags:
    - always

- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
    in rsyslog include files'
  ansible.builtin.find:
    paths: /etc/rsyslog.d/
    pattern: '*.conf'
    contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
  register: rsyslog_includes_with_directive
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: search for omfwd action directive
    in rsyslog main config file'
  ansible.builtin.find:
    paths: /etc
    pattern: rsyslog.conf
    contains: ^\s*action\s*\(\s*type\s*=\s*"omfwd".*
  register: rsyslog_main_file_with_directive
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
    to be inserted if entirely missing'
  ansible.builtin.set_fact:
    rsyslog_parameters_to_add_if_missing:
    - protocol
    - target
    - port
    - StreamDriver
    - StreamDriverMode
    - StreamDriverAuthMode
    - streamdriver.CheckExtendedKeyPurpose
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
    be inserted if entirely missing'
  ansible.builtin.set_fact:
    rsyslog_values_to_add_if_missing:
    - tcp
    - '{{ rsyslog_remote_loghost_address }}'
    - '6514'
    - gtls
    - '1'
    - x509/name
    - 'on'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option parameters
    to be replaced if defined with wrong values'
  ansible.builtin.set_fact:
    rsyslog_parameters_to_replace_if_wrong_value:
    - protocol
    - StreamDriver
    - StreamDriverMode
    - StreamDriverAuthMode
    - streamdriver.CheckExtendedKeyPurpose
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: declare Rsyslog option values to
    be replaced when having wrong value'
  ansible.builtin.set_fact:
    rsyslog_values_to_replace_if_wrong_value:
    - tcp
    - gtls
    - '1'
    - x509/name
    - 'on'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: assemble list of files with existing
    directives'
  ansible.builtin.set_fact:
    rsyslog_files: '{{ rsyslog_includes_with_directive.files | map(attribute=''path'')
      | list + rsyslog_main_file_with_directive.files | map(attribute=''path'') |
      list }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: try to fix existing directives'
  block:

  - name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
      by adjusting the value'
    ansible.builtin.replace:
      path: '{{ item[0] }}'
      regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"[\s\S]*)({{ item[1][0] | regex_escape()
        }}\s*=\s*"\S*")([\s\S]*\))$
      replace: \1{{ item[1][0] }}="{{ item[1][1] }}"\3
    loop: '{{ rsyslog_files | product (rsyslog_parameters_to_replace_if_wrong_value
      | zip(rsyslog_values_to_replace_if_wrong_value)) | list }}'

  - name: 'Configure TLS for rsyslog remote logging: Fix existing omfwd directives
      by adding parameter and value'
    ansible.builtin.replace:
      path: '{{ item[0] }}'
      regexp: (?i)^(\s*action\s*\(\s*type\s*=\s*"omfwd"(?:[\s\S](?!{{ item[1][0] |
        regex_escape() }}))*.)(\))$
      replace: \1 {{ item[1][0] }}="{{ item[1][1] }}" \2
    loop: '{{ rsyslog_files | product (rsyslog_parameters_to_add_if_missing | zip(rsyslog_values_to_add_if_missing))
      | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - rsyslog_includes_with_directive.matched or rsyslog_main_file_with_directive.matched
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls

- name: 'Configure TLS for rsyslog remote logging: Add missing rsyslog directive'
  ansible.builtin.lineinfile:
    dest: /etc/rsyslog.conf
    line: action(type="omfwd" protocol="tcp" Target="{{ rsyslog_remote_loghost_address
      }}" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name"
      streamdriver.CheckExtendedKeyPurpose="on")
    create: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - not rsyslog_includes_with_directive.matched and not rsyslog_main_file_with_directive.matched
  tags:
  - CCE-83991-0
  - NIST-800-53-AU-9(3)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_remote_tls
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the omfwd action configuration</span>Â 
        <span class="label label-default">oval:ssg-test_rsyslog_remote_tls:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*action\((?i)type(?-i)="omfwd"(.+?)\)</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" id="rule-detail-idm46361751491504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure CA certificate for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert mediumCCE-83992-8 </div><div class="panel-heading"><h3 class="panel-title">Configure CA certificate for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls_cacert:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83992-8">CCE-83992-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure CA certificate for <code>rsyslog</code> logging
to remote server using Transport Layer Security (TLS)
using correct path for the <code>DefaultNetstreamDriverCAFile</code>
global option in <code>/etc/rsyslog.conf</code>, for example with the following command:
<pre>echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' &gt;&gt; /etc/rsyslog.conf</pre>
Replace the <code>/etc/pki/tls/cert.pem</code> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The CA certificate needs to be set or <code>rsyslog.service</code>
fails to start with
<pre>error: ca certificate is not set, cannot continue</pre></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the DefaultNetstreamDriverCAFile configuration</span>Â 
        <span class="label label-default">oval:ssg-test_rsyslog_remote_tls_cacert:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls_cacert:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*global\(DefaultNetstreamDriverCAFile="(.+?)"\)\s*\n</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-detail-idm46361751562048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-84063-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84063-7">CCE-84063-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo dnf install rsyslog</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
system logging services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_rsyslog_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>113.el9_2</td><td>8.2102.0</td><td>0:8.2102.0-113.el9_2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.2102.0-113.el9_2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="rule-detail-idm46361751558048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-83989-4 </div><div class="panel-heading"><h3 class="panel-title">Enable rsyslog Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_rsyslog_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83989-4">CCE-83989-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">4.2.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 9.

The <code>rsyslog</code> service can be enabled with the following command:
<pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
logging services, which are essential to system administration.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â 
        <span class="label label-default">oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>113.el9_2</td><td>8.2102.0</td><td>0:8.2102.0-113.el9_2</td><td>199e2f91fd431d51</td><td>rsyslog-0:8.2102.0-113.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the rsyslog service is running</span>Â 
        <span class="label label-default">oval:ssg-test_service_running_rsyslog:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>rsyslog.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_firewalld_installed" id="rule-detail-idm46361751474128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-84021-5 </div><div class="panel-heading"><h3 class="panel-title">Install firewalld Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_firewalld_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_firewalld_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84021-5">CCE-84021-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000298-GPOS-00116</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00232</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>firewalld</code> package can be installed with the following command:
<pre>
$ sudo dnf install firewalld</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.

Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.

Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.

Red Hat Enterprise Linux 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155011424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155011424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    dnf install -y "firewalld"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155008704" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155008704"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
  package:
    name: firewalld
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-84021-5
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_firewalld_installed
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155006336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155006336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld

class install_firewalld {
  package { 'firewalld':
    ensure =&gt; 'installed',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155004160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155004160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
package --add=firewalld
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155002144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362155002144"><pre><code>
[[packages]]
name = "firewalld"
version = "*"
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package firewalld is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_firewalld_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_firewalld_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>firewalld</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-detail-idm46361751470128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-90833-5 </div><div class="panel-heading"><h3 class="panel-title">Verify firewalld Enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_firewalld_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_firewalld_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90833-5">CCE-90833-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00231</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00232</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.4.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>firewalld</code> service can be enabled with the following command:
<pre>$ sudo systemctl enable firewalld.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154966784" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362154966784"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'firewalld.service'
"$SYSTEMCTL_EXEC" start 'firewalld.service'
"$SYSTEMCTL_EXEC" enable 'firewalld.service'

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154964048" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362154964048"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable service firewalld
    service:
      name: firewalld
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"firewalld" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90833-5
  - NIST-800-171-3.1.3
  - NIST-800-171-3.4.7
  - NIST-800-53-AC-4
  - NIST-800-53-CA-3(5)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-SC-7(21)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_firewalld_enabled
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154961328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362154961328"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld

class enable_firewalld {
  service {'firewalld':
    enable =&gt; true,
    ensure =&gt; 'running',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362154959152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362154959152"><pre><code>
[customizations.services]
enabled = ["firewalld"]
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package firewalld is installed</span>Â 
        <span class="label label-default">oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_firewalld_package_firewalld_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>firewalld</td></tr></tbody></table><h4><span class="label label-primary">Test that the firewalld service is running</span>Â 
        <span class="label label-default">oval:ssg-test_service_running_firewalld:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of firewalld">oval:ssg-obj_service_running_firewalld:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^firewalld\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_firewalld:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_firewalld_socket:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_configure_firewalld_ports" id="rule-detail-idm46361751466128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the Firewalld Portsxccdf_org.ssgproject.content_rule_configure_firewalld_ports mediumCCE-86041-1 </div><div class="panel-heading"><h3 class="panel-title">Configure the Firewalld Ports</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_firewalld_ports</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-86041-1">CCE-86041-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1416</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</a>, <a href="">SRG-OS-000096-VMM-000490</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.4.2.5</a></p></td></tr><tr><td>Description</td><td><div class="description">Configure the <code>firewalld</code> ports to allow approved services to have access to the system.
To configure <code>firewalld</code> to open ports, run the following command:
<pre>firewall-cmd --permanent --add-port=<i>port_number/tcp</i></pre>
To configure <code>firewalld</code> to allow access for pre-defined services, run the following
command:
<pre>firewall-cmd --permanent --add-service=<i>service_name</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.
<br><br>
Operating systems are capable of providing a wide variety of functions and services.
Some of the functions and services provided by default may not be necessary to support
essential organizational operations.
Additionally, it is sometimes convenient to provide multiple services from a single component
(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by
one component.
<br><br>
To support the requirements and principles of least functionality, the operating system must
support the organizational requirements, providing only essential capabilities and limiting the
use of ports, protocols, and/or services to only those required, authorized, and approved to
conduct official business.</div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â 
                                <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" id="rule-detail-idm46361751460080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-84023-1 </div><div class="panel-heading"><h3 class="panel-title">Set Default firewalld Zone for Incoming Packets</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_set_firewalld_default_zone</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-set_firewalld_default_zone:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84023-1">CCE-84023-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1416</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.4.2.1</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the default zone to <code>drop</code> for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
<code>/etc/firewalld/firewalld.conf</code> to be:
<pre>DefaultZone=drop</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">In <code>firewalld</code> the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to <code>drop</code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                To prevent denying any access to the system, automatic remediation
of this control is not available. Remediation must be automated as
a component of machine provisioning, or followed manually as outlined
above.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check /etc/firewalld/firewalld.conf DefaultZone for drop</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_input_drop:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_firewalld_input_drop:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/firewalld/firewalld.conf</td><td>^DefaultZone=drop$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" id="rule-detail-idm46361751265264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-84066-0 </div><div class="panel-heading"><h3 class="panel-title">Deactivate Wireless Network Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_wireless_disable_interfaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84066-0">CCE-84066-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000085</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002418</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002421</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001443</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001444</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">1315</a>, <a href="">1319</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000299-GPOS-00117</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000300-GPOS-00118</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000424-GPOS-00188</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000481-GPOS-000481</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">3.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description">Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
<br><br>

Configure the system to disable all wireless network interfaces with the following command:
<pre>$ sudo nmcli radio all off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources.</div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_network_nmcli_permissions" id="rule-detail-idm46361751484800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent non-Privileged Users from Modifying Network Interfaces using nmclixccdf_org.ssgproject.content_rule_network_nmcli_permissions mediumCCE-90061-3 </div><div class="panel-heading"><h3 class="panel-title">Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_nmcli_permissions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-network_nmcli_permissions:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90061-3">CCE-90061-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, non-privileged users are given permissions to modify networking
interfaces and configurations using the <code>nmcli</code> command. Non-privileged
users should not be making configuration changes to network configurations. To
ensure that non-privileged users do not have permissions to make changes to the
network configuration using <code>nmcli</code>, create the following configuration in
<code>/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla</code>:
<pre>
[Disable General User Access to NetworkManager]
Identity=default
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin
</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing non-privileged users to make changes to network settings can allow
untrusted access, prevent system availability, and/or can lead to a compromise or
attack.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362155146464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362155146464"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if rpm --quiet -q polkit; then

printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" &gt; /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">polkit is properly configured to prevent non-privilged users from changing networking settings</span>Â 
        <span class="label label-default">oval:ssg-test_network_nmcli_permissions:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_network_nmcli_permissions:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/polkit-1/localauthority/20-org.d/.*$</td><td>^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_network_sniffer_disabled" id="rule-detail-idm46361751480800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure System is Not Acting as a Network Snifferxccdf_org.ssgproject.content_rule_network_sniffer_disabled mediumCCE-83996-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure System is Not Acting as a Network Sniffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_network_sniffer_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-network_sniffer_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83996-9">CCE-83996-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO11.06</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.10</a>, <a href="https://www.isaca.org/resources/cobit">BAI09.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI09.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI09.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS04.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.8</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.6</a>, <a href="https://www.iso.org/standard/54534.html">A.8.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
<pre>$ ip link | grep PROMISC</pre>
Promiscuous mode of an interface can be disabled with the following command:
<pre>$ sudo ip link set dev <code>device_name</code> multicast off promisc off</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
<br><br>
If the system is being used to perform a network troubleshooting function, the use of these
tools must be documented with the Information Systems Security Manager (ISSM) and restricted
to only authorized personnel.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check all network interfaces for PROMISC flag</span>Â 
        <span class="label label-default">oval:ssg-test_promisc_interfaces:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_promisc_interfaces:obj:1</abbr></strong> of type
                <strong>interface_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Filter</th></tr></thead><tbody><tr><td>^.*$</td><td>oval:ssg-state_promisc:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" id="rule-detail-idm46361751112512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that System Executables Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_binary_dirs mediumCCE-83908-4 </div><div class="panel-heading"><h3 class="panel-title">Verify that System Executables Have Root Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_ownership_binary_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:06+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83908-4">CCE-83908-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System executables are stored in the following directories by default:
<pre>/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</pre>
All files in these directories should be owned by the <code>root</code> user.
If any file <i>FILE</i> in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<pre>$ sudo chown root <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">binary directories uid root</span>Â 
        <span class="label label-default">oval:ssg-test_ownership_binary_directories:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="binary directories">oval:ssg-object_file_ownership_binary_directories:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</td><td>no value</td><td>oval:ssg-state_owner_binaries_not_root:ste:1</td></tr></tbody></table><h4><span class="label label-primary">binary files uid root</span>Â 
        <span class="label label-default">oval:ssg-test_ownership_binary_files:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="binary files">oval:ssg-object_file_ownership_binary_files:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</td><td>^.*$</td><td>oval:ssg-state_owner_binaries_not_root:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" id="rule-detail-idm46361751108512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that Shared Library Files Have Root Ownershipxccdf_org.ssgproject.content_rule_file_ownership_library_dirs mediumCCE-83907-6 </div><div class="panel-heading"><h3 class="panel-title">Verify that Shared Library Files Have Root Ownership</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_ownership_library_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_ownership_library_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:08+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83907-6">CCE-83907-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre>/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are also
stored in <code>/lib/modules</code>. All files in these directories should be
owned by the <code>root</code> user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
<pre>$ sudo chown root <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing user ownership of /lib/</span>Â 
        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_0:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib/">oval:ssg-object_file_ownership_library_dirs_0:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing user ownership of /lib64/</span>Â 
        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_1:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib64/">oval:ssg-object_file_ownership_library_dirs_1:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib64</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing user ownership of /usr/lib/</span>Â 
        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_2:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib/">oval:ssg-object_file_ownership_library_dirs_2:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing user ownership of /usr/lib64/</span>Â 
        <span class="label label-default">oval:ssg-test_file_ownership_library_dirs_3:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib64/">oval:ssg-object_file_ownership_library_dirs_3:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib64</td><td>^.*$</td><td>oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</td><td>oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" id="rule-detail-idm46361751101808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that System Executables Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_binary_dirs mediumCCE-83911-8 </div><div class="panel-heading"><h3 class="panel-title">Verify that System Executables Have Restrictive Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_binary_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:08+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83911-8">CCE-83911-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System executables are stored in the following directories by default:
<pre>/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</pre>
All files in these directories should not be group-writable or world-writable.
If any file <i>FILE</i> in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
<pre>$ sudo chmod go-w <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">binary files go-w</span>Â 
        <span class="label label-default">oval:ssg-test_perms_binary_files:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="binary files">oval:ssg-object_file_permissions_binary_files:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</td><td>^.*$</td><td>oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1</td><td>oval:ssg-state_perms_binary_files_symlink:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" id="rule-detail-idm46361751097808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that Shared Library Files Have Restrictive Permissionsxccdf_org.ssgproject.content_rule_file_permissions_library_dirs mediumCCE-83909-2 </div><div class="panel-heading"><h3 class="panel-title">Verify that Shared Library Files Have Restrictive Permissions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_library_dirs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_library_dirs:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83909-2">CCE-83909-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001499</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</a></p></td></tr><tr><td>Description</td><td><div class="description">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<pre>/lib
/lib64
/usr/lib
/usr/lib64
</pre>
Kernel modules, which can be added to the kernel during runtime, are
stored in <code>/lib/modules</code>. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
<pre>$ sudo chmod go-w <i>FILE</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Testing mode of /lib/</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_0:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib/">oval:ssg-object_file_permissions_library_dirs_0:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing mode of /lib64/</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_1:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/lib64/">oval:ssg-object_file_permissions_library_dirs_1:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/lib64</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing mode of /usr/lib/</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_2:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib/">oval:ssg-object_file_permissions_library_dirs_2:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1</td></tr></tbody></table><h4><span class="label label-primary">Testing mode of /usr/lib64/</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_library_dirs_3:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/usr/lib64/">oval:ssg-object_file_permissions_library_dirs_3:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/usr/lib64</td><td>^.*$</td><td>oval:ssg-exclude_symlinks__library_dirs:ste:1</td><td>oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" id="rule-detail-idm46361751259856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-83895-3 </div><div class="panel-heading"><h3 class="panel-title">Verify that All World-Writable Directories Have Sticky Bits Set</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dir_perms_world_writable_sticky_bits:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:27:57+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83895-3">CCE-83895-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.12</a></p></td></tr><tr><td>Description</td><td><div class="description">When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
<br>
To set the sticky bit on a world-writable directory <i>DIR</i>, run the
following command:
<pre>$ sudo chmod +t <i>DIR</i></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
<br><br>
The only authorized public directories are those temporary directories
supplied with the system, or those designed to be temporary file
repositories. The setting is normally reserved for directories used by the
system, by users for temporary file storage (such as <code>/tmp</code>), and
for directories requiring global read/write access.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">all local world-writable directories have sticky bit set</span>Â 
        <span class="label label-default">oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="only local directories">oval:ssg-object_only_local_directories:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>no value</td><td>oval:ssg-state_world_writable_and_not_sticky:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" id="rule-detail-idm46361751248384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All SGID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid mediumCCE-83901-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SGID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_sgid:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:00+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83901-9">CCE-83901-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.14</a></p></td></tr><tr><td>Description</td><td><div class="description">The SGID (set group id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SGID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SGID files.
This configuration check considers authorized SGID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
Any SGID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SGID permission run with the privileges of
the owner of the file. SGID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">sgid files outside system RPMs</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_sgid:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with sgid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_sgid_unowned:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_sgid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_sgid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" id="rule-detail-idm46361751244384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure All SUID Executables Are Authorizedxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid mediumCCE-83897-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure All SUID Executables Are Authorized</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_suid:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:04+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83897-9">CCE-83897-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R37)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R38)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.13</a></p></td></tr><tr><td>Description</td><td><div class="description">The SUID (set user id) bit should be set only on files that were
installed via authorized means. A straightforward means of identifying
unauthorized SUID files is determine if any were not installed as part of an
RPM package, which is cryptographically verified. Investigate the origin
of any unpackaged SUID files.
This configuration check considers authorized SUID files which were installed via RPM.
It is assumed that when an individual has sudo access to install an RPM
and all packages are signed with an organizationally-recognized GPG key,
the software should be considered an approved package on the system.
Any SUID file not deployed through an RPM will be flagged for further review.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Executable files with the SUID permission run with the privileges of
the owner of the file. SUID files of uncertain provenance could allow for
unprivileged users to elevate privileges. The presence of these files should be
strictly controlled on the system.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">suid files outside system RPMs</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_suid:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="files with suid set which are not owned by any RPM package">oval:ssg-obj_file_permissions_unauthorized_suid_unowned:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_suid_suid_set:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_suid_filepaths:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" id="rule-detail-idm46361751240384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-83902-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure No World-Writable Files Exist</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_unauthorized_world_writable:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:05+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83902-7">CCE-83902-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">6.1.9</a></p></td></tr><tr><td>Description</td><td><div class="description">It is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user account. Finally,
this applies to real files and not virtual files that are a part of
pseudo file systems such as <code>sysfs</code> or <code>procfs</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">world writable files</span>Â 
        <span class="label label-default">oval:ssg-test_file_permissions_unauthorized_world_write:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="world writable">oval:ssg-object_file_permissions_unauthorized_world_write:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>no value</td><td>/</td><td>^.*$</td><td>oval:ssg-state_file_permissions_unauthorized_world_write:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1</td><td>oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-detail-idm46361751054384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-83881-3 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_nodev:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83881-3">CCE-83881-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.8.2</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nodev</code> mount option can be used to prevent creation of device
files in <code>/dev/shm</code>. Legitimate character and block devices should
not exist within temporary directories like <code>/dev/shm</code>.
Add the <code>nodev</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
<code>/dev/shm</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The only legitimate location for device files is the <code>/dev</code> directory
located on the root partition. The only exception to this is chroot jails.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /dev/shm optional no</span>Â 
        <span class="label label-default">oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table><h4><span class="label label-primary">/dev/shm exists</span>Â 
        <span class="label label-default">oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" id="rule-detail-idm46361751050384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-83857-3 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_noexec:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83857-3">CCE-83857-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.8.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>noexec</code> mount option can be used to prevent binaries
from being executed out of <code>/dev/shm</code>.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as <code>/dev/shm</code>.
Add the <code>noexec</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
<code>/dev/shm</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Allowing users to execute binaries from world-writable directories
such as <code>/dev/shm</code> can expose the system to potential compromise.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362147408912" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362147408912"><table class="table table-striped table-bordered table-condensed"><tr><th>Reboot:</th><td>false</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

function perform_remediation {
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /dev/shm)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] &amp;&amp; previous_mount_opts+=","
        echo "tmpfs /dev/shm tmpfs defaults,${previous_mount_opts}noexec 0 0" &gt;&gt; /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/dev/shm"; then
        if mountpoint -q "/dev/shm"; then
            mount -o remount --target "/dev/shm"
        else
            mount --target "/dev/shm"
        fi
    fi
}

perform_remediation

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362147406128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362147406128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: 'Add noexec Option to /dev/shm: Check information associated to mountpoint'
  command: findmnt  '/dev/shm'
  register: device_name
  failed_when: device_name.rc &gt; 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83857-3
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length &gt; 0)
  tags:
  - CCE-83857-3
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: If /dev/shm not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /dev/shm
    - tmpfs
    - tmpfs
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-83857-3
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Make sure noexec option is part of the to
    /dev/shm options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-83857-3
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /dev/shm: Ensure /dev/shm is mounted with noexec option'
  mount:
    path: /dev/shm
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length &gt; 0)) or ("" |
    length == 0)
  tags:
  - CCE-83857-3
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_dev_shm_noexec
  - no_reboot_needed
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /dev/shm optional no</span>Â 
        <span class="label label-default">oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table><h4><span class="label label-primary">/dev/shm exists</span>Â 
        <span class="label label-default">oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-detail-idm46361751046384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-83891-2 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_nosuid:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83891-2">CCE-83891-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.1.8.4</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>nosuid</code> mount option can be used to prevent execution
of setuid programs in <code>/dev/shm</code>.  The SUID and SGID permissions should not
be required in these world-writable directories.
Add the <code>nosuid</code> option to the fourth column of
<code>/etc/fstab</code> for the line which controls mounting of
<code>/dev/shm</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /dev/shm optional no</span>Â 
        <span class="label label-default">oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table><h4><span class="label label-primary">/dev/shm exists</span>Â 
        <span class="label label-default">oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>inode64</td><td role="num">227349</td><td role="num">0</td><td role="num">227349</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" id="rule-detail-idm46361750895808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable ExecShield via sysctlxccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield mediumCCE-83970-4 </div><div class="panel-heading"><h3 class="panel-title">Enable ExecShield via sysctl</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_exec_shield:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83970-4">CCE-83970-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R9)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002530</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a></p></td></tr><tr><td>Description</td><td><div class="description">By default on Red Hat Enterprise Linux 9 64-bit systems, ExecShield is
enabled and can only be disabled if the hardware does not support
ExecShield or is disabled in <code>/etc/default/grub</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">ExecShield uses the segmentation feature on all x86 systems to prevent
execution in memory higher than a certain address. It writes an address as
a limit in the code segment descriptor, to control where code can be
executed, on a per-process basis. When the kernel places a process's memory
regions such as the stack and heap higher than this address, the hardware
prevents execution in that address range. This is enabled by default on the
latest Red Hat and Fedora systems if supported by the hardware.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_x86_64:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppc_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_ppcle_64:tst:1</span>Â 
        <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="64 bit architecture">oval:ssg-object_system_info_architecture_ppcle_64:obj:1</abbr></strong> of type
                <strong>uname_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_aarch_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">64 bit architecture</span>Â 
        <span class="label label-default">oval:ssg-test_system_info_architecture_s390_64:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Machine class</th><th>Node name</th><th>Os name</th><th>Os release</th><th>Os version</th><th>Processor type</th></tr></thead><tbody><tr><td>x86_64</td><td>node-0.openscap4.lab.upshift.rdu2.redhat.com</td><td>Linux</td><td>5.14.0-284.18.1.el9_2.x86_64</td><td>#1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023</td><td>x86_64</td></tr></tbody></table><h4><span class="label label-primary">NX is disabled</span>Â 
        <span class="label label-default">oval:ssg-test_nx_disabled_grub:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_nx_disabled_grub:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/boot/grub2/grub.cfg</td><td>[\s]*noexec[\s]*=[\s]*off</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-detail-idm46361750891808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-83972-0 </div><div class="panel-heading"><h3 class="panel-title">Restrict Exposed Kernel Pointer Addresses Access</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kptr_restrict:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83972-0">CCE-83972-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002824</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr></pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kptr_restrict = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Exposing kernel pointers (through procfs or <code>seq_printf()</code>) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145182576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145182576"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kptr_restrict.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "kernel.kptr_restrict" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done
sysctl_kernel_kptr_restrict_value='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr>'


#
# Set runtime for kernel.kptr_restrict
#
/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"

#
# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.kptr_restrict")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.kptr_restrict\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^kernel.kptr_restrict\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83972-0"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145175344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145175344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.kptr_restrict.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83972-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict

- name: Comment out any occurrences of kernel.kptr_restrict from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.kptr_restrict
    replace: '#kernel.kptr_restrict'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83972-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict
- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
  set_fact:
    sysctl_kernel_kptr_restrict_value: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value">1</abbr>
  tags:
    - always

- name: Ensure sysctl kernel.kptr_restrict is set
  sysctl:
    name: kernel.kptr_restrict
    value: '{{ sysctl_kernel_kptr_restrict_value }}'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83972-0
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - NIST-800-53-SC-30(5)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kptr_restrict
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145170608" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145170608"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.kptr_restrict%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_kernel_kptr_restrict:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kptr_restrict:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kptr_restrict set to 1 or 2</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kptr_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" id="rule-detail-idm46361750887808"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-83971-2 </div><div class="panel-heading"><h3 class="panel-title">Enable Randomized Layout of Virtual Address Space</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_randomize_va_space:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83971-2">CCE-83971-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002824</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.5.3</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.randomize_va_space</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.randomize_va_space=2</pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.randomize_va_space = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145129152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145129152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.randomize_va_space.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "kernel.randomize_va_space" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done

#
# Set runtime for kernel.randomize_va_space
#
/sbin/sysctl -q -n -w kernel.randomize_va_space="2"

#
# If kernel.randomize_va_space present in /etc/sysctl.conf, change value to "2"
#	else, add "kernel.randomize_va_space = 2" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.randomize_va_space")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "2"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.randomize_va_space\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^kernel.randomize_va_space\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83971-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145123488" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145123488"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.randomize_va_space.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83971-2
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

- name: Comment out any occurrences of kernel.randomize_va_space from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.randomize_va_space
    replace: '#kernel.randomize_va_space'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83971-2
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space

- name: Ensure sysctl kernel.randomize_va_space is set to 2
  sysctl:
    name: kernel.randomize_va_space
    value: '2'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83971-2
  - NIST-800-171-3.1.7
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-30
  - NIST-800-53-SC-30(2)
  - PCI-DSS-Req-2.2.1
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_randomize_va_space
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145119680" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145119680"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.randomize_va_space%3D2%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.randomize_va_space static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.randomize_va_space static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.randomize_va_space set to 2</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.randomize_va_space</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-detail-idm46361750956416"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict lowCCE-83952-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Kernel Message Buffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_dmesg_restrict:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83952-2">CCE-83952-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001090</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.dmesg_restrict = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unprivileged access to the kernel syslog can expose sensitive kernel
address information.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145718384" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145718384"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.dmesg_restrict.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "kernel.dmesg_restrict" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done

#
# Set runtime for kernel.dmesg_restrict
#
/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"

#
# If kernel.dmesg_restrict present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.dmesg_restrict = 1" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.dmesg_restrict")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.dmesg_restrict\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^kernel.dmesg_restrict\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83952-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145713056" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145713056"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.dmesg_restrict.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83952-2
  - NIST-800-171-3.1.5
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - disable_strategy
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required
  - sysctl_kernel_dmesg_restrict

- name: Comment out any occurrences of kernel.dmesg_restrict from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.dmesg_restrict
    replace: '#kernel.dmesg_restrict'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83952-2
  - NIST-800-171-3.1.5
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - disable_strategy
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required
  - sysctl_kernel_dmesg_restrict

- name: Ensure sysctl kernel.dmesg_restrict is set to 1
  sysctl:
    name: kernel.dmesg_restrict
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83952-2
  - NIST-800-171-3.1.5
  - NIST-800-53-SI-11(a)
  - NIST-800-53-SI-11(b)
  - disable_strategy
  - low_complexity
  - low_severity
  - medium_disruption
  - reboot_required
  - sysctl_kernel_dmesg_restrict
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145709424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145709424"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.dmesg_restrict%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.dmesg_restrict set to 1</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.dmesg_restrict</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" id="rule-detail-idm46361750952416"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-83954-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Image Loading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kexec_load_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83954-8">CCE-83954-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kexec_load_disabled=1</pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kexec_load_disabled = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145696384" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145696384"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.kexec_load_disabled from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.kexec_load_disabled.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "kernel.kexec_load_disabled" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done

#
# Set runtime for kernel.kexec_load_disabled
#
/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"

#
# If kernel.kexec_load_disabled present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.kexec_load_disabled = 1" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.kexec_load_disabled")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.kexec_load_disabled\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^kernel.kexec_load_disabled\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83954-8"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145690704" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145690704"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.kexec_load_disabled.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83954-8
  - NIST-800-53-CM-6
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kexec_load_disabled

- name: Comment out any occurrences of kernel.kexec_load_disabled from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.kexec_load_disabled
    replace: '#kernel.kexec_load_disabled'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83954-8
  - NIST-800-53-CM-6
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kexec_load_disabled

- name: Ensure sysctl kernel.kexec_load_disabled is set to 1
  sysctl:
    name: kernel.kexec_load_disabled
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83954-8
  - NIST-800-53-CM-6
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_kexec_load_disabled
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145687184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145687184"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.kexec_load_disabled%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_kexec_load_disabled:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kexec_load_disabled set to 1</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kexec_load_disabled</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" id="rule-detail-idm46361750929488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-83957-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Access to Network bpf() Syscall From Unprivileged Processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83957-1">CCE-83957-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.unprivileged_bpf_disabled = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145537424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145537424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.unprivileged_bpf_disabled.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "kernel.unprivileged_bpf_disabled" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done

#
# Set runtime for kernel.unprivileged_bpf_disabled
#
/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1"

#
# If kernel.unprivileged_bpf_disabled present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.unprivileged_bpf_disabled = 1" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.unprivileged_bpf_disabled")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.unprivileged_bpf_disabled\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^kernel.unprivileged_bpf_disabled\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83957-1"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145531648" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145531648"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.unprivileged_bpf_disabled.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83957-1
  - NIST-800-53-AC-6
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_unprivileged_bpf_disabled

- name: Comment out any occurrences of kernel.unprivileged_bpf_disabled from config
    files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.unprivileged_bpf_disabled
    replace: '#kernel.unprivileged_bpf_disabled'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83957-1
  - NIST-800-53-AC-6
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_unprivileged_bpf_disabled

- name: Ensure sysctl kernel.unprivileged_bpf_disabled is set to 1
  sysctl:
    name: kernel.unprivileged_bpf_disabled
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83957-1
  - NIST-800-53-AC-6
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_unprivileged_bpf_disabled
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145527984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145527984"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.unprivileged_bpf_disabled</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-detail-idm46361750922736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-83965-4 </div><div class="panel-heading"><h3 class="panel-title">Restrict usage of ptrace to descendant processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83965-4">CCE-83965-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R25)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.yama.ptrace_scope = 1</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145479616" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145479616"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.yama.ptrace_scope from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.yama.ptrace_scope.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "kernel.yama.ptrace_scope" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done

#
# Set runtime for kernel.yama.ptrace_scope
#
/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"

#
# If kernel.yama.ptrace_scope present in /etc/sysctl.conf, change value to "1"
#	else, add "kernel.yama.ptrace_scope = 1" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^kernel.yama.ptrace_scope")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.yama.ptrace_scope\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^kernel.yama.ptrace_scope\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83965-4"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145473968" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145473968"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*kernel.yama.ptrace_scope.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83965-4
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_yama_ptrace_scope

- name: Comment out any occurrences of kernel.yama.ptrace_scope from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.yama.ptrace_scope
    replace: '#kernel.yama.ptrace_scope'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83965-4
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_yama_ptrace_scope

- name: Ensure sysctl kernel.yama.ptrace_scope is set to 1
  sysctl:
    name: kernel.yama.ptrace_scope
    value: '1'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83965-4
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_yama_ptrace_scope
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145470448" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145470448"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.yama.ptrace_scope%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.yama.ptrace_scope set to 1</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.yama.ptrace_scope</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" id="rule-detail-idm46361750918736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-83966-2 </div><div class="panel-heading"><h3 class="panel-title">Harden the operation of the BPF just-in-time compiler</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_core_bpf_jit_harden:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-83966-2">CCE-83966-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">To set the runtime status of the <code>net.core.bpf_jit_harden</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.core.bpf_jit_harden=2</pre>
To make sure that the setting is persistent, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.core.bpf_jit_harden = 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in <code>/proc/kallsyms</code>.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145456272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362145456272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.core.bpf_jit_harden from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

  matching_list=$(grep -P '^(?!#).*[\s]*net.core.bpf_jit_harden.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$entry")
      # comment out "net.core.bpf_jit_harden" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &amp;/g" $f
    done &lt;&lt;&lt; "$matching_list"
  fi
done

#
# Set runtime for net.core.bpf_jit_harden
#
/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2"

#
# If net.core.bpf_jit_harden present in /etc/sysctl.conf, change value to "2"
#	else, add "net.core.bpf_jit_harden = 2" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed_command=('sed' '-i')
if test -L "/etc/sysctl.conf"; then
    sed_command+=('--follow-symlinks')
fi

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' &lt;&lt;&lt; "^net.core.bpf_jit_harden")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "2"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \&gt;),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.core.bpf_jit_harden\\&gt;" "/etc/sysctl.conf"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' &lt;&lt;&lt; "$formatted_output")
    "${sed_command[@]}" "s/^net.core.bpf_jit_harden\\&gt;.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
    # \n is precaution for case where file ends without trailing newline
    cce="CCE-83966-2"
    printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" &gt;&gt; "/etc/sysctl.conf"
    printf '%s\n' "$formatted_output" &gt;&gt; "/etc/sysctl.conf"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145450640" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145450640"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/
    contains: ^[\s]*net.core.bpf_jit_harden.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83966-2
  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_core_bpf_jit_harden

- name: Comment out any occurrences of net.core.bpf_jit_harden from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*net.core.bpf_jit_harden
    replace: '#net.core.bpf_jit_harden'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83966-2
  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_core_bpf_jit_harden

- name: Ensure sysctl net.core.bpf_jit_harden is set to 2
  sysctl:
    name: net.core.bpf_jit_harden
    value: '2'
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83966-2
  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_net_core_bpf_jit_harden
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362145445520" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362145445520"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,net.core.bpf_jit_harden%3D2%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_etc_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /run/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_run_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /usr/local/lib/sysctl.d/*.conf</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_usr_local_lib_sysctld:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/local/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_not_defined:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls_unfiltered:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Set</th></tr></thead><tbody><tr><td>
            oval:ssg-object_static_etc_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
            oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_core_bpf_jit_harden:obj:1
          </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.core.bpf_jit_harden set to 2</span>Â 
        <span class="label label-default">oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.core.bpf_jit_harden</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" id="rule-detail-idm46361750830800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the auditadm_exec_content SELinux Booleanxccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content mediumCCE-84090-0 </div><div class="panel-heading"><h3 class="panel-title">Enable the auditadm_exec_content SELinux Boolean</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sebool_auditadm_exec_content:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84090-0">CCE-84090-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">80424-5</a>, <a href="">0582</a>, <a href="">0584</a>, <a href="">05885</a>, <a href="">0586</a>, <a href="">0846</a>, <a href="">0957</a></p></td></tr><tr><td>Description</td><td><div class="description">By default, the SELinux boolean <code>auditadm_exec_content</code> is enabled.
If this setting is disabled, it should be enabled.

To enable the <code>auditadm_exec_content</code> SELinux boolean, run the following command:
<pre>$ sudo setsebool -P auditadm_exec_content on</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">auditadm_exec_content is configured correctly</span>Â 
        <span class="label label-default">oval:ssg-test_sebool_auditadm_exec_content:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Current status</th><th>Pending status</th></tr></thead><tbody><tr><td>auditadm_exec_content</td><td role="num">true</td><td role="num">true</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm46361750846576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-84074-4 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_policytype:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84074-4">CCE-84074-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="">SRG-OS-000445-VMM-001780</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux <code>targeted</code> policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in <code>/etc/selinux/config</code>:
<pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre>
Other policies, such as <code>mls</code>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux policy to <code>targeted</code> or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
<br><br>
Note: During the development or debugging of SELinux modules, it is common to
temporarily place non-production systems in <code>permissive</code> mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
<code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file</span>Â 
        <span class="label label-default">oval:ssg-test_selinux_policy:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUXTYPE=targeted


</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm46361750841776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-84079-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_state:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84079-3">CCE-84079-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R4)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001084</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000134-GPOS-00068</a>, <a href="">SRG-OS-000445-VMM-001780</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">1.6.1.5</a></p></td></tr><tr><td>Description</td><td><div class="description">The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at
system boot time.  In the file <code>/etc/selinux/config</code>, add or correct the
following line to configure the system to boot into enforcing mode:
<pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/selinux/enforce is 1</span>Â 
        <span class="label label-default">oval:ssg-test_etc_selinux_config:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUX=enforcing</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" id="rule-detail-idm46361750221344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Avahi Server Softwarexccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled mediumCCE-90824-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Avahi Server Software</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_avahi-daemon_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90824-4">CCE-90824-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.2</a></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>avahi-daemon</code> service can be disabled with the following command:
<pre>$ sudo systemctl mask --now avahi-daemon.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Because the Avahi daemon service keeps an open network
port, it is subject to network attacks. Its functionality
is convenient but is only appropriate if the local network
can be trusted.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package avahi is removed</span>Â 
        <span class="label label-default">oval:ssg-test_service_avahi-daemon_package_avahi_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_avahi-daemon_package_avahi_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>avahi</td></tr></tbody></table><h4><span class="label label-primary">Test that the avahi-daemon service is not running</span>Â 
        <span class="label label-default">oval:ssg-test_service_not_running_avahi-daemon:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of avahi-daemon">oval:ssg-obj_service_not_running_avahi-daemon:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^avahi-daemon\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service avahi-daemon is masked</span>Â 
        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_avahi-daemon:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of avahi-daemon">oval:ssg-obj_service_loadstate_is_masked_avahi-daemon:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^avahi-daemon\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" id="rule-detail-idm46361750096816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed mediumCCE-84224-5 </div><div class="panel-heading"><h3 class="panel-title">Install fapolicyd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_fapolicyd_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_fapolicyd_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84224-5">CCE-84224-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001774</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>fapolicyd</code> package can be installed with the following command:
<pre>
$ sudo dnf install fapolicyd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>fapolicyd</code> (File Access Policy Daemon)
implements application whitelisting to decide file access rights.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135881088" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362135881088"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "fapolicyd" ; then
    dnf install -y "fapolicyd"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135878544" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135878544"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure fapolicyd is installed
  package:
    name: fapolicyd
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-84224-5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-4(22)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_fapolicyd_installed
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135876160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135876160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_fapolicyd

class install_fapolicyd {
  package { 'fapolicyd':
    ensure =&gt; 'installed',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135873984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135873984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
package --add=fapolicyd
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135871968" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135871968"><pre><code>
[[packages]]
name = "fapolicyd"
version = "*"
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package fapolicyd is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_fapolicyd_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_fapolicyd_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>fapolicyd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" id="rule-detail-idm46361750092816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled mediumCCE-84227-8 </div><div class="panel-heading"><h3 class="panel-title">Enable the File Access Policy Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_fapolicyd_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84227-8">CCE-84227-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-001764</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001774</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</a></p></td></tr><tr><td>Description</td><td><div class="description">The File Access Policy service should be enabled.

The <code>fapolicyd</code> service can be enabled with the following command:
<pre>$ sudo systemctl enable fapolicyd.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>fapolicyd</code> service (File Access Policy Daemon)
implements application whitelisting to decide file access rights.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135857344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362135857344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'fapolicyd.service'
"$SYSTEMCTL_EXEC" start 'fapolicyd.service'
"$SYSTEMCTL_EXEC" enable 'fapolicyd.service'

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135854608" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135854608"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service fapolicyd
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable service fapolicyd
    service:
      name: fapolicyd
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"fapolicyd" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-84227-8
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-4(22)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_fapolicyd_enabled
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135852000" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135852000"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_fapolicyd

class enable_fapolicyd {
  service {'fapolicyd':
    enable =&gt; true,
    ensure =&gt; 'running',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362135849824" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362135849824"><pre><code>
[customizations.services]
enabled = ["fapolicyd"]
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package fapolicyd is installed</span>Â 
        <span class="label label-default">oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>fapolicyd</td></tr></tbody></table><h4><span class="label label-primary">Test that the fapolicyd service is running</span>Â 
        <span class="label label-default">oval:ssg-test_service_running_fapolicyd:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of fapolicyd">oval:ssg-obj_service_running_fapolicyd:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^fapolicyd\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_fapolicyd:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_chrony_installed" id="rule-detail-idm46361749995776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->The Chrony package is installedxccdf_org.ssgproject.content_rule_package_chrony_installed mediumCCE-84215-3 </div><div class="panel-heading"><h3 class="panel-title">The Chrony package is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_chrony_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_chrony_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84215-3">CCE-84215-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.6.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.1.1</a></p></td></tr><tr><td>Description</td><td><div class="description">System time should be synchronized between all systems in an environment. This is
typically done by establishing an authoritative time server or set of servers and having all
systems synchronize their clocks to them.
The <code>chrony</code> package can be installed with the following command:
<pre>
$ sudo dnf install chrony</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Time synchronization is important to support time sensitive security mechanisms like
Kerberos and also ensures log files have consistent time records across the enterprise,
which aids in forensic investigations.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_chrony_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>1.el9</td><td>4.3</td><td>0:4.3-1.el9</td><td>199e2f91fd431d51</td><td>chrony-0:4.3-1.el9.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_chronyd_enabled" id="rule-detail-idm46361749989744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->The Chronyd service is enabledxccdf_org.ssgproject.content_rule_service_chronyd_enabled mediumCCE-84217-9 </div><div class="panel-heading"><h3 class="panel-title">The Chronyd service is enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_chronyd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_chronyd_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84217-9">CCE-84217-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="">0988</a>, <a href="">1405</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</a></p></td></tr><tr><td>Description</td><td><div class="description">chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at

    <a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</a>.
Chrony can be configured to be a client and/or a server.
To enable Chronyd service, you can run:
<code># systemctl enable chronyd.service</code>
This recommendation only applies if chrony is in use on the system.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If chrony is in use on the system proper configuration is vital to ensuring time
synchronization is working properly.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â 
        <span class="label label-default">oval:ssg-test_service_chronyd_package_chrony_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>1.el9</td><td>4.3</td><td>0:4.3-1.el9</td><td>199e2f91fd431d51</td><td>chrony-0:4.3-1.el9.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the chronyd service is running</span>Â 
        <span class="label label-default">oval:ssg-test_service_running_chronyd:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>chronyd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd_socket:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" id="rule-detail-idm46361749967520"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-84218-7 </div><div class="panel-heading"><h3 class="panel-title">A remote time server for Chrony is configured</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-chronyd_specify_remote_server:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84218-7">CCE-84218-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001891</a>, <a href="">0988</a>, <a href="">1405</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.1.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><code>Chrony</code> is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on <code>chrony</code> can be found at

    <a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</a>.
<code>Chrony</code> can be configured to be a client and/or a server.
Add or edit server or pool lines to <code>/etc/chrony.conf</code> as appropriate:
<pre>server &lt;remote-server&gt;</pre>
Multiple servers may be configured.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If <code>chrony</code> is in use on the system proper configuration is vital to ensuring time
synchronization is working properly.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure at least one NTP server is set</span>Â 
        <span class="label label-default">oval:ssg-test_chronyd_remote_server:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/chrony.conf</td><td>pool 2.rhel.pool.ntp.org iburst</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_xinetd_removed" id="rule-detail-idm46361749954000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-84155-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall xinetd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_xinetd_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_xinetd_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84155-1">CCE-84155-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000305</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>xinetd</code> package can be removed with the following command:
<pre>
$ sudo dnf erase xinetd</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Removing the <code>xinetd</code> package decreases the risk of the
xinetd service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package xinetd is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_xinetd_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_xinetd_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>xinetd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_xinetd_disabled" id="rule-detail-idm46361749950016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable xinetd Servicexccdf_org.ssgproject.content_rule_service_xinetd_disabled mediumCCE-84156-9 </div><div class="panel-heading"><h3 class="panel-title">Disable xinetd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_xinetd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_xinetd_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84156-9">CCE-84156-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000305</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>xinetd</code> service can be disabled with the following command:
<pre>$ sudo systemctl mask --now xinetd.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The xinetd service provides a dedicated listener service for some programs,
which is no longer necessary for commonly-used network services. Disabling
it ensures that these uncommon services are not running, and also prevents
attacks against xinetd itself.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package xinetd is removed</span>Â 
        <span class="label label-default">oval:ssg-test_service_xinetd_package_xinetd_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_xinetd_package_xinetd_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>xinetd</td></tr></tbody></table><h4><span class="label label-primary">Test that the xinetd service is not running</span>Â 
        <span class="label label-default">oval:ssg-test_service_not_running_xinetd:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of xinetd">oval:ssg-obj_service_not_running_xinetd:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^xinetd\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service xinetd is masked</span>Â 
        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_xinetd:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of xinetd">oval:ssg-obj_service_loadstate_is_masked_xinetd:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^xinetd\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_ypbind_removed" id="rule-detail-idm46361749946032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed unknownCCE-84151-0 </div><div class="panel-heading"><h3 class="panel-title">Remove NIS Client</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_ypbind_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_ypbind_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84151-0">CCE-84151-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client (<code>ypbind</code>) was used to bind a system to an NIS server
and receive the distributed configuration files.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The NIS service is inherently an insecure system that has been vulnerable
to DOS attacks, buffer overflows and has poor authentication for querying
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package ypbind is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_ypbind_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_ypbind_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>ypbind</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed" id="rule-detail-idm46361749936640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh-server Packagexccdf_org.ssgproject.content_rule_package_rsh-server_removed highCCE-84143-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh-server_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84143-7">CCE-84143-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>rsh-server</code> package can be removed with the following command:
<pre>
$ sudo dnf erase rsh-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>rsh-server</code> service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The <code>rsh-server</code> package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_rsh-server_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh-server_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="rule-detail-idm46361749932640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed unknownCCE-84142-9 </div><div class="panel-heading"><h3 class="panel-title">Uninstall rsh Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsh_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsh_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84142-9">CCE-84142-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>rsh</code> package contains the client commands

for the rsh services</div></td></tr><tr><td>Rationale</td><td><div class="rationale">These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing

their credentials. Note that removing the <code>rsh</code> package removes

the clients for <code>rsh</code>,<code>rcp</code>, and <code>rlogin</code>.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsh is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_rsh_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsh_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsh</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk-server_removed" id="rule-detail-idm46361749917888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall talk-server Packagexccdf_org.ssgproject.content_rule_package_talk-server_removed mediumCCE-84158-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk-server_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84158-5">CCE-84158-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk-server</code> package can be removed with the following command: <pre> $ sudo dnf erase talk-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the <code>talk-server</code> package decreases the
risk of the accidental (or intentional) activation of talk services.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_talk-server_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk-server_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="rule-detail-idm46361749913888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed mediumCCE-84157-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall talk Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_talk_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_talk_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84157-7">CCE-84157-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>talk</code> package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The <code>talk</code> package can be removed with the following command:
<pre>
$ sudo dnf erase talk</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the <code>talk</code> package decreases the
risk of the accidental (or intentional) activation of talk client program.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package talk is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_talk_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_talk_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>talk</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed" id="rule-detail-idm46361749909920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-84149-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall telnet-server Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet-server_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet-server_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84149-4">CCE-84149-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000381</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.13</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>telnet-server</code> package can be removed with the following command:
<pre>
$ sudo dnf erase telnet-server</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
<br>
The telnet service provides an unencrypted remote access service which does
not provide for the confidentiality and integrity of user passwords or the
remote session. If a privileged user were to login using this service, the
privileged user password could be compromised.
<br>
Removing the <code>telnet-server</code> package decreases the risk of the
telnet service's accidental (or intentional) activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_telnet-server_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet-server_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet-server</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="rule-detail-idm46361749905920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-84146-0 </div><div class="panel-heading"><h3 class="panel-title">Remove telnet Clients</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_telnet_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_telnet_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84146-0">CCE-84146-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.3.1</a></p></td></tr><tr><td>Description</td><td><div class="description">The telnet client allows users to start connections to other systems via
the telnet protocol.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>telnet</code> protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The <code>ssh</code> package provides an
encrypted session and stronger security and is included in Red Hat Enterprise Linux 9.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_telnet_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_telnet_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled" id="rule-detail-idm46361749901936"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable telnet Servicexccdf_org.ssgproject.content_rule_service_telnet_disabled highCCE-84150-2 </div><div class="panel-heading"><h3 class="panel-title">Disable telnet Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_telnet_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_telnet_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84150-2">CCE-84150-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a></p></td></tr><tr><td>Description</td><td><div class="description">Make sure that the activation of the <code>telnet</code> service on system boot is disabled.

The <code>telnet</code> socket can be disabled with the following command:
<pre>$ sudo systemctl mask --now telnet.socket</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The telnet protocol uses unencrypted network communication, which means that data from the
login session, including passwords and all other information transmitted during the session,
can be stolen by eavesdroppers on the network. The telnet protocol is also subject to
man-in-the-middle attacks.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                If the system relies on <code>xinetd</code> to manage telnet sessions, ensure the telnet service
is disabled by the following line: <code>disable = yes</code>. Note that the xinetd file for
telnet is not created automatically, therefore it might have different names.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package telnet-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_service_telnet_package_telnet-server_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_telnet_package_telnet-server_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>telnet-server</td></tr></tbody></table><h4><span class="label label-primary">Test that the telnet service is not running</span>Â 
        <span class="label label-default">oval:ssg-test_service_not_running_telnet:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of telnet">oval:ssg-obj_service_not_running_telnet:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^telnet\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service telnet is masked</span>Â 
        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_telnet:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of telnet">oval:ssg-obj_service_loadstate_is_masked_telnet:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^telnet\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_squid_removed" id="rule-detail-idm46361749884480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall squid Packagexccdf_org.ssgproject.content_rule_package_squid_removed unknownCCE-84238-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall squid Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_squid_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_squid_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84238-5">CCE-84238-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">2.2.11</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>squid</code> package can be removed with the following command: <pre> $ sudo dnf erase squid</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If there is no need to make the proxy server software available,
removing it provides a safeguard against its activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package squid is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_squid_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_squid_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>squid</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_squid_disabled" id="rule-detail-idm46361749880512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Squidxccdf_org.ssgproject.content_rule_service_squid_disabled unknownCCE-84239-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Squid</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_squid_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_squid_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84239-3">CCE-84239-3</abbr></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>squid</code> service can be disabled with the following command:
<pre>$ sudo systemctl mask --now squid.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Running proxy server software provides a network-based avenue
of attack, and should be removed if not needed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package squid is removed</span>Â 
        <span class="label label-default">oval:ssg-test_service_squid_package_squid_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_squid_package_squid_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>squid</td></tr></tbody></table><h4><span class="label label-primary">Test that the squid service is not running</span>Â 
        <span class="label label-default">oval:ssg-test_service_not_running_squid:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of squid">oval:ssg-obj_service_not_running_squid:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^squid\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service squid is masked</span>Â 
        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_squid:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of squid">oval:ssg-obj_service_loadstate_is_masked_squid:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^squid\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_quagga_removed" id="rule-detail-idm46361749871776"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall quagga Packagexccdf_org.ssgproject.content_rule_package_quagga_removed lowCCE-84191-6 </div><div class="panel-heading"><h3 class="panel-title">Uninstall quagga Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_quagga_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_quagga_removed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84191-6">CCE-84191-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>quagga</code> package can be removed with the following command: <pre> $ sudo dnf erase quagga</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Routing software is typically used on routers to exchange network topology information
with other routers. If routing software is used when not required, system network
information may be unnecessarily transmitted across the network.
<br>
If there is no need to make the router software available,
removing it provides a safeguard against its activation.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package quagga is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_quagga_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_quagga_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>quagga</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_snmpd_disabled" id="rule-detail-idm46361749855584"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable snmpd Servicexccdf_org.ssgproject.content_rule_service_snmpd_disabled lowCCE-90832-7 </div><div class="panel-heading"><h3 class="panel-title">Disable snmpd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_snmpd_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_snmpd_disabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90832-7">CCE-90832-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="">1311</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>snmpd</code> service can be disabled with the following command:
<pre>$ sudo systemctl mask --now snmpd.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Running SNMP software provides a network-based avenue of attack, and
should be disabled if not needed.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package net-snmp is removed</span>Â 
        <span class="label label-default">oval:ssg-test_service_snmpd_package_net-snmp_removed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_snmpd_package_net-snmp_removed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>net-snmp</td></tr></tbody></table><h4><span class="label label-primary">Test that the snmpd service is not running</span>Â 
        <span class="label label-default">oval:ssg-test_service_not_running_snmpd:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of snmpd">oval:ssg-obj_service_not_running_snmpd:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^snmpd\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service snmpd is masked</span>Â 
        <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_snmpd:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of snmpd">oval:ssg-obj_service_loadstate_is_masked_snmpd:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^snmpd\.(service|socket)$</td><td>LoadState</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" id="rule-detail-idm46361749849552"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SNMP Service to Use Only SNMPv3 or Newerxccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol mediumCCE-87293-7 </div><div class="panel-heading"><h3 class="panel-title">Configure SNMP Service to Use Only SNMPv3 or Newer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-87293-7">CCE-87293-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="">1311</a></p></td></tr><tr><td>Description</td><td><div class="description">Edit <code>/etc/snmp/snmpd.conf</code>, removing any references to <code>rocommunity</code>, <code>rwcommunity</code>, or <code>com2sec</code>.
Upon doing that, restart the SNMP service:
<pre>$ sudo service snmpd restart</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Earlier versions of SNMP are considered insecure, as they potentially allow
unauthorized access to detailed system management information.</div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-detail-idm46361749804288"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-90816-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Host-Based Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_host_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-disable_host_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90816-0">CCE-90816-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.8</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH's cryptographic host-based authentication is
more secure than <code>.rhosts</code> authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
<br>
The default SSH configuration disables host-based authentication. The appropriate
configuration is used if no value is set for <code>HostbasedAuthentication</code>.
<br>
To explicitly disable host-based authentication, add or correct the
following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>HostbasedAuthentication no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131292528" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362131292528"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*HostbasedAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "HostbasedAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "HostbasedAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131287728" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362131287728"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable Host-Based Authentication
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter HostbasedAuthentication is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "HostbasedAuthentication"| regex_escape }}\s+
      line: HostbasedAuthentication no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90816-0
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - disable_host_auth
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131281776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362131281776"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
        mode: 0600
        path: /etc/ssh/sshd_config
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_disable_host_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_host_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_disable_host_auth_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_host_auth_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" id="rule-detail-idm46361749799504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SSH Server firewalld Firewall Exceptionxccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled mediumCCE-89175-4 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Server firewalld Firewall Exception</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-firewalld_sshd_port_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-89175-4">CCE-89175-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="">1416</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a></p></td></tr><tr><td>Description</td><td><div class="description">If the SSH server is in use, inbound connections to SSH's port should be allowed to permit
remote access through SSH. In more restrictive firewalld settings, the SSH port should be
added to the proper firewalld zone in order to allow SSH remote access.
<br><br>



To configure <code>firewalld</code> to allow <code>ssh</code> access, run the following command(s):
<pre>firewall-cmd --permanent --add-service=ssh</pre>

Then run the following command to load the newly created rule(s):
<pre>firewall-cmd --reload</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If inbound SSH connections are expected, adding the SSH port to the proper firewalld zone
will allow remote access through the SSH port.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                The remediation for this rule uses <code>firewall-cmd</code> and <code>nmcli</code> tools.
Therefore, it will only be executed if <code>firewalld</code> and <code>NetworkManager</code>
services are running. Otherwise, the remediation will be aborted and a informative message
will be shown in the remediation report.
These respective services will not be started in order to preserve any intentional change
in network components related to firewall and network interfaces.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule also checks if the SSH port was modified by the administrator in the firewalld
services definitions and is reflecting the expected port number. Although this is checked,
fixing the custom ssh.xml file placed by the administrator at /etc/firewalld/services it
is not in the scope of the remediation since there is no reliable way to manually change
the respective file. If the default SSH port is modified, it is on the administrator
responsibility to ensure the firewalld customizations in the service port level are
properly configured.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131248976" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362131248976"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "firewalld" ; then
    dnf install -y "firewalld"
fi
if ! rpm -q --quiet "NetworkManager" ; then
    dnf install -y "NetworkManager"
fi
firewalld_sshd_zone='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_firewalld_sshd_zone">public</abbr>'


if systemctl is-active NetworkManager &amp;&amp; systemctl is-active firewalld; then
    # First make sure the SSH service is enabled in run-time for the proper zone.
    # This is to avoid connection issues when new interfaces are addeded to this zone.
    firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh

    # This will collect all NetworkManager connections names
    readarray -t nm_connections &lt; &lt;(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }')
    # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone.
    # This will not change connections which are already assigned to any firewalld zone.
    for connection in "${nm_connections[@]}"; do
        current_zone=$(nmcli -f connection.zone connection show "$connection" | awk '{ print $2}')
        if [ $current_zone = "--" ]; then
            nmcli connection modify "$connection" connection.zone $firewalld_sshd_zone
        fi
    done
    systemctl restart NetworkManager

    # Active zones are zones with at least one interface assigned to it.
    # It is possible that traffic is comming by any active interface and consequently any
    # active zone. So, this make sure all active zones are permanently allowing SSH service.
    readarray -t firewalld_active_zones &lt; &lt;(firewall-cmd --get-active-zones | grep -v interfaces)
    for zone in "${firewalld_active_zones[@]}"; do
        firewall-cmd --permanent --zone="$zone" --add-service=ssh
    done
    firewall-cmd --reload
else
    echo "
    firewalld and NetworkManager services are not active. Remediation aborted!
    This remediation could not be applied because it depends on firewalld and NetworkManager services running.
    The service is not started by this remediation in order to prevent connection issues."
    exit 1
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362131241824" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362131241824"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: XCCDF Value firewalld_sshd_zone # promote to variable
  set_fact:
    firewalld_sshd_zone: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_firewalld_sshd_zone">public</abbr>
  tags:
    - always

- name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld and NetworkManager
    packages are installed
  ansible.builtin.package:
    name: '{{ item }}'
    state: present
  with_items:
  - firewalld
  - NetworkManager
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-89175-4
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Collect facts about system
    services
  ansible.builtin.service_facts: null
  register: result_services_states
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-89175-4
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Remediation is applicable
    if firewalld and NetworkManager services are running
  block:

  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
      connections names
    ansible.builtin.shell:
      cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }'
    register: result_nmcli_cmd_connections_names
    changed_when: false

  - name: Enable SSH Server firewalld Firewall Exception - Collect NetworkManager
      connections zones
    ansible.builtin.shell:
      cmd: nmcli -f connection.zone connection show {{ item | trim }} | awk '{ print
        $2}'
    register: result_nmcli_cmd_connections_zones
    changed_when: false
    with_items:
    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
      are assigned to a firewalld zone
    ansible.builtin.command:
      cmd: nmcli connection modify {{ item.0 }} connection.zone {{ firewalld_sshd_zone
        }}
    register: result_nmcli_cmd_connections_assignment
    with_together:
    - '{{ result_nmcli_cmd_connections_names.stdout_lines }}'
    - '{{ result_nmcli_cmd_connections_zones.results }}'
    when:
    - item.1.stdout == '--'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure NetworkManager connections
      changes are applied
    ansible.builtin.service:
      name: NetworkManager
      state: restarted
    when:
    - result_nmcli_cmd_connections_assignment is changed

  - name: Enable SSH Server firewalld Firewall Exception - Collect firewalld active
      zones
    ansible.builtin.shell:
      cmd: firewall-cmd --get-active-zones | grep -v interfaces
    register: result_firewall_cmd_zones_names
    changed_when: false

  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld zones
      allow SSH
    ansible.builtin.command:
      cmd: firewall-cmd --permanent --zone={{ item }} --add-service=ssh
    register: result_nmcli_cmd_connections_assignment
    changed_when:
    - '''ALREADY_ENABLED'' not in result_nmcli_cmd_connections_assignment.stderr'
    with_items:
    - '{{ result_firewall_cmd_zones_names.stdout_lines }}'

  - name: Enable SSH Server firewalld Firewall Exception - Ensure firewalld changes
      are applied
    ansible.builtin.service:
      name: firewalld
      state: reloaded
    when:
    - result_nmcli_cmd_connections_assignment is changed
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_facts.services['firewalld.service'].state == 'running'
  - ansible_facts.services['NetworkManager.service'].state == 'running'
  tags:
  - CCE-89175-4
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Enable SSH Server firewalld Firewall Exception - Informative message based
    on services states
  ansible.builtin.assert:
    that:
    - ansible_facts.services['firewalld.service'].state == 'running'
    - ansible_facts.services['NetworkManager.service'].state == 'running'
    fail_msg:
    - firewalld and NetworkManager services are not active. Remediation aborted!
    - This remediation could not be applied because it depends on firewalld and NetworkManager
      services running.
    - The service is not started by this remediation in order to prevent connection
      issues.
    success_msg:
    - Enable SSH Server firewalld Firewall Exception remediation successfully executed
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-89175-4
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - configure_strategy
  - firewalld_sshd_port_enabled
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">All NICs must have a firewalld zone defined in their settings</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_all_nics_in_zones:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_network_conf_files_count:obj:1</abbr></strong> of type
                <strong>variable_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th></tr></thead><tbody><tr><td>oval:ssg-var_firewalld_sshd_port_enabled_network_conf_files_with_zone_count:var:1</td></tr></tbody></table><h4><span class="label label-primary">SSH service is defined in all zones delivered in the firewalld package</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_usr:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_zone_files_usr:obj:1</abbr></strong> of type
                <strong>xmlfilecontent_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Xpath</th></tr></thead><tbody><tr><td>^(dmz|external|home|internal|public|trusted|work)\.xml$</td><td>/usr/lib/firewalld/zones</td><td>/zone/service[@name='ssh']</td></tr></tbody></table><h4><span class="label label-primary">there is no equivalent zone file defined by the administrator in /etc dir</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_usr_zones_not_overridden:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_customized_zone_files:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>^(dmz|external|home|internal|public|trusted|work)\.xml$</td><td>no value</td><td>/etc/firewalld/zones</td></tr></tbody></table><h4><span class="label label-primary">SSH service is defined in all zones created or modified by the administrator</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_zone_ssh_enabled_etc:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:obj:1</abbr></strong> of type
                <strong>variable_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th></tr></thead><tbody><tr><td>oval:ssg-var_firewalld_sshd_port_enabled_custom_zone_files_with_ssh_count:var:1</td></tr></tbody></table><h4><span class="label label-primary">SSH service is interger in the /usr/lib/firewalld/services dir</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_usr:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_usr:obj:1</abbr></strong> of type
                <strong>xmlfilecontent_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Xpath</th></tr></thead><tbody><tr><td>/usr/lib/firewalld/services/ssh.xml</td><td>/service/port[@port='22']</td></tr></tbody></table><h4><span class="label label-primary">SSH service is properly configured in /etc/firewalld/services dir</span>Â 
        <span class="label label-default">oval:ssg-test_firewalld_sshd_port_enabled_ssh_service_etc:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_firewalld_sshd_port_enabled_ssh_service_file_etc:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/firewalld/services/ssh.xml</td><td>&lt;port.*port="(\d+)"</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" id="rule-detail-idm46361749794688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 highCCE-90812-9 </div><div class="panel-heading"><h3 class="panel-title">Allow Only SSH Protocol 2</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_allow_only_protocol2:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90812-9">CCE-90812-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000197</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0487</a>, <a href="">1449</a>, <a href="">1506</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000074-GPOS-00042</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000033-VMM-000140</a></p></td></tr><tr><td>Description</td><td><div class="description">Only SSH protocol version 2 connections should be
permitted. The default setting in
<code>/etc/ssh/sshd_config</code> is correct, and can be
verified by ensuring that the following
line appears:
<pre>Protocol 2</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH protocol version 1 is an insecure implementation of the SSH protocol and
has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
immediate root access to the system.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                As of <code>openssh-server</code> version <code>7.4</code> and above, the only protocol
supported is version 2, and line <pre>Protocol 2</pre> in
<code>/etc/ssh/sshd_config</code> is not necessary.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">OpenSSH is version 7.4 or higher</span>Â 
        <span class="label label-default">oval:ssg-test_openssh-server_version:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">sshd uses protocol 2</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_allow_only_protocol2:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sshd_allow_only_protocol2:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-detail-idm46361749787168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-90799-8 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Access via Empty Passwords</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_empty_passwords:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90799-8">CCE-90799-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000766</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000106-GPOS-00053</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.9</a></p></td></tr><tr><td>Description</td><td><div class="description">Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for <code>PermitEmptyPasswords</code>.
<br>
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<br>
<pre>PermitEmptyPasswords no</pre>
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130991456" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130991456"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitEmptyPasswords\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitEmptyPasswords no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "PermitEmptyPasswords no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130986048" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130986048"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Access via Empty Passwords
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PermitEmptyPasswords is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "PermitEmptyPasswords"| regex_escape }}\s+
      line: PermitEmptyPasswords no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90799-8
  - CJIS-5.5.6
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.6
  - high_severity
  - low_complexity
  - low_disruption
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_empty_passwords
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_empty_passwords:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_empty_passwords:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_empty_passwords_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-detail-idm46361749782352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-90808-7 </div><div class="panel-heading"><h3 class="panel-title">Disable GSSAPI Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_gssapi_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90808-7">CCE-90808-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0418</a>, <a href="">1055</a>, <a href="">1402</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
<br>
The default SSH configuration disallows authentications based on GSSAPI. The appropriate
configuration is used if no value is set for <code>GSSAPIAuthentication</code>.
<br>
To explicitly disable GSSAPI authentication, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>GSSAPIAuthentication no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130942448" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130942448"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*GSSAPIAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "GSSAPIAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "GSSAPIAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130938288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130938288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable GSSAPI Authentication
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter GSSAPIAuthentication is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "GSSAPIAuthentication"| regex_escape }}\s+
      line: GSSAPIAuthentication no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90808-7
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_gssapi_auth
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_gssapi_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_gssapi_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_gssapi_auth_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d/50-redhat.conf</td><td>GSSAPIAuthentication yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-detail-idm46361749777552"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-90802-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_kerb_auth:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90802-0">CCE-90802-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
<br>
The default SSH configuration disallows authentication validation through Kerberos.
The appropriate configuration is used if no value is set for <code>KerberosAuthentication</code>.
<br>
To explicitly disable Kerberos authentication, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>KerberosAuthentication no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation. 
Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. </div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130887360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130887360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*KerberosAuthentication\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "KerberosAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "KerberosAuthentication no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130881552" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130881552"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable Kerberos Authentication
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter KerberosAuthentication is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "KerberosAuthentication"| regex_escape }}\s+
      line: KerberosAuthentication no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90802-0
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_kerb_auth
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_kerb_auth:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_kerb_auth:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_kerb_auth_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_kerb_auth_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" id="rule-detail-idm46361749770688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-90797-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for .rhosts Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_rhosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_rhosts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90797-2">CCE-90797-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000107-VMM-000530</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.11</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via <code>.rhosts</code> files.
<br>
The default SSH configuration disables support for <code>.rhosts</code>. The appropriate
configuration is used if no value is set for <code>IgnoreRhosts</code>.
<br>
To explicitly disable support for .rhosts files, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>IgnoreRhosts yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130782000" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130782000"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*IgnoreRhosts\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "IgnoreRhosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "IgnoreRhosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130777296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130777296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Support for .rhosts Files
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter IgnoreRhosts is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "IgnoreRhosts"| regex_escape }}\s+
      line: IgnoreRhosts yes
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90797-2
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_rhosts
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_rhosts:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_rhosts:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_rhosts_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm46361749763200"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-90800-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_root_login:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90800-4">CCE-90800-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R21)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000770</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000109-GPOS-00056</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.7</a></p></td></tr><tr><td>Description</td><td><div class="description">The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>PermitRootLogin no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130617184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130617184"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf

LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitRootLogin\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"

cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitRootLogin no" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
    printf '%s\n' "PermitRootLogin no" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130612640" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130612640"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Root Login
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PermitRootLogin is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
      create: true
      regexp: (?i)^\s*{{ "PermitRootLogin"| regex_escape }}\s+
      line: PermitRootLogin no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90800-4
  - CJIS-5.5.6
  - NIST-800-171-3.1.1
  - NIST-800-171-3.1.5
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-6(2)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - NIST-800-53-IA-2(5)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_root_login
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_root_login:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_root_login:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_root_login_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_root_login_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" id="rule-detail-idm46361749753632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Support for User Known Hostsxccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts mediumCCE-90796-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Support for User Known Hosts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_user_known_hosts:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90796-4">CCE-90796-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available.  This should be disabled.
<br><br>
To ensure this behavior is disabled, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>IgnoreUserKnownHosts yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130541168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130541168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf

LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*IgnoreUserKnownHosts\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"

cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "IgnoreUserKnownHosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
    printf '%s\n' "IgnoreUserKnownHosts yes" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130536576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130536576"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable SSH Support for User Known Hosts
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter IgnoreUserKnownHosts is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
      create: true
      regexp: (?i)^\s*{{ "IgnoreUserKnownHosts"| regex_escape }}\s+
      line: IgnoreUserKnownHosts yes
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90796-4
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_user_known_hosts
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_user_known_hosts:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_user_known_hosts:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_user_known_hosts_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_user_known_hosts_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding" id="rule-detail-idm46361749748816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-90798-0 </div><div class="panel-heading"><h3 class="panel-title">Disable X11 Forwarding</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_x11_forwarding:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90798-0">CCE-90798-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.12</a></p></td></tr><tr><td>Description</td><td><div class="description">The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
<code>X11Forwarding</code> option is enabled.
<br>
The default SSH configuration disables X11Forwarding. The appropriate
configuration is used if no value is set for <code>X11Forwarding</code>.
<br>
To explicitly disable X11 Forwarding, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>X11Forwarding no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130517792" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130517792"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*X11Forwarding\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "X11Forwarding no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "X11Forwarding no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130512432" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130512432"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Disable X11 Forwarding
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter X11Forwarding is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "X11Forwarding"| regex_escape }}\s+
      line: X11Forwarding no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90798-0
  - NIST-800-53-CM-6(b)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_disable_x11_forwarding
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_x11_forwarding:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_x11_forwarding:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of X11Forwarding setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_disable_x11_forwarding_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d/50-redhat.conf</td><td>X11Forwarding yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" id="rule-detail-idm46361749744000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-90803-8 </div><div class="panel-heading"><h3 class="panel-title">Do Not Allow SSH Environment Options</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_do_not_permit_user_env:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90803-8">CCE-90803-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="">SRG-OS-000480-VMM-002000</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.10</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that users are not able to override environment variables of the SSH daemon.
<br>
The default SSH configuration disables environment processing. The appropriate
configuration is used if no value is set for <code>PermitUserEnvironment</code>.
<br>
To explicitly disable Environment options, add or correct the following


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>PermitUserEnvironment no</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH environment options potentially allow users to bypass
access restriction in some configurations.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130474672" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130474672"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PermitUserEnvironment\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PermitUserEnvironment no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "PermitUserEnvironment no" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130469872" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130469872"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Do Not Allow SSH Environment Options
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PermitUserEnvironment is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "PermitUserEnvironment"| regex_escape }}\s+
      line: PermitUserEnvironment no
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90803-8
  - CJIS-5.5.6
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_do_not_permit_user_env
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_do_not_permit_user_env:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_do_not_permit_user_env:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_do_not_permit_user_env_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-detail-idm46361749731728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-90809-5 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Strict Mode Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_enable_strictmodes:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90809-5">CCE-90809-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description">SSHs <code>StrictModes</code> option checks file and ownership permissions in
the user's home directory <code>.ssh</code> folder before accepting login. If world-
writable permissions are found, logon is rejected.
<br>
The default SSH configuration has <code>StrictModes</code> enabled. The appropriate
configuration is used if no value is set for <code>StrictModes</code>.
<br>
To explicitly enable <code>StrictModes</code> in SSH, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>StrictModes yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130349296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130349296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*StrictModes\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "StrictModes yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "StrictModes yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130343456" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130343456"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Enable Use of Strict Mode Checking
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter StrictModes is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "StrictModes"| regex_escape }}\s+
      line: StrictModes yes
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90809-5
  - NIST-800-171-3.1.12
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(a)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_enable_strictmodes
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of StrictModes setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_enable_strictmodes:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_strictmodes:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of StrictModes setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_enable_strictmodes_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_strictmodes_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-detail-idm46361749726928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-90807-9 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_enable_warning_banner:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90807-9">CCE-90807-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000048</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000050</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001384</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001385</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001386</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001387</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001388</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_TAB.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</a>, <a href="">SRG-OS-000023-VMM-000060</a>, <a href="">SRG-OS-000024-VMM-000070</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.15</a></p></td></tr><tr><td>Description</td><td><div class="description">To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>Banner /etc/issue</pre>
Another section contains information on how to create an
appropriate system-wide warning banner.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers. Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130290288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130290288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf

LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*Banner\s\+/Id" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    touch "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"

cp "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "Banner /etc/issue" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
    printf '%s\n' "Banner /etc/issue" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130285792" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130285792"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Enable SSH Warning Banner
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter Banner is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "Banner"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf
      create: true
      regexp: (?i)^\s*{{ "Banner"| regex_escape }}\s+
      line: Banner /etc/issue
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90807-9
  - CJIS-5.5.6
  - NIST-800-171-3.1.9
  - NIST-800-53-AC-17(a)
  - NIST-800-53-AC-8(a)
  - NIST-800-53-AC-8(c)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-2.2.6
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_enable_warning_banner
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of Banner setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_enable_warning_banner:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_warning_banner:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of Banner setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_enable_warning_banner_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_warning_banner_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_print_last_log" id="rule-detail-idm46361749715280"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SSH Print Last Logxccdf_org.ssgproject.content_rule_sshd_print_last_log mediumCCE-90804-6 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Print Last Log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_print_last_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_print_last_log:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90804-6">CCE-90804-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.10</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000052</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description">Ensure that SSH will display the date and time of the last successful account logon.
<br>
The default SSH configuration enables print of the date and time of the last login.
The appropriate configuration is used if no value is set for <code>PrintLastLog</code>.
<br>
To explicitly enable LastLog in SSH, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>PrintLastLog yes</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130076944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130076944"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*PrintLastLog\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "PrintLastLog yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "PrintLastLog yes" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130072240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130072240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Enable SSH Print Last Log
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter PrintLastLog is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "PrintLastLog"| regex_escape }}\s+
      line: PrintLastLog yes
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90804-6
  - NIST-800-53-AC-9
  - NIST-800-53-AC-9(1)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_print_last_log
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_print_last_log:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_print_last_log:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PrintLastLog setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_print_last_log_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_print_last_log_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" id="rule-detail-idm46361749705104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set LogLevel to INFOxccdf_org.ssgproject.content_rule_sshd_set_loglevel_info lowCCE-90813-7 </div><div class="panel-heading"><h3 class="panel-title">Set LogLevel to INFO</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_loglevel_info:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90813-7">CCE-90813-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.5</a></p></td></tr><tr><td>Description</td><td><div class="description">The INFO parameter specifices that record login and logout activity will be logged.
<br>
The default SSH configuration sets the log level to INFO. The appropriate
configuration is used if no value is set for <code>LogLevel</code>.
<br>
To explicitly specify the log level in SSH, add or correct the following line in


<code>/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</code>:

<pre>LogLevel INFO</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">SSH provides several logging levels with varying amounts of verbosity. <code>DEBUG</code> is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. <code>INFO</code> level is the
basic level that only records login activity of SSH users. In many situations, such as Incident
Response, it is important to determine when a particular user was active on a system. The
logout record can eliminate those users who disconnected, which helps narrow the field.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130009920" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362130009920"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

mkdir -p /etc/ssh/sshd_config.d
touch /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf

LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config"
LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d"/*.conf
if [ -e "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*LogLevel\s\+/Id" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    touch "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"

cp "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "LogLevel INFO" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    printf '%s\n' "LogLevel INFO" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak" &gt;&gt; "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362130003952" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362130003952"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Set LogLevel to INFO
  block:

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
      state: absent

  - name: Check if /etc/ssh/sshd_config.d exists
    stat:
      path: /etc/ssh/sshd_config.d
    register: _etc_ssh_sshd_config_d_exists

  - name: Check if the parameter LogLevel is present in /etc/ssh/sshd_config.d
    find:
      paths: /etc/ssh/sshd_config.d
      recurse: 'yes'
      follow: 'no'
      contains: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
    register: _etc_ssh_sshd_config_d_has_parameter
    when: _etc_ssh_sshd_config_d_exists.stat.isdir is defined and _etc_ssh_sshd_config_d_exists.stat.isdir

  - name: Remove parameter from files in /etc/ssh/sshd_config.d
    lineinfile:
      path: '{{ item.path }}'
      create: false
      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
      state: absent
    with_items: '{{ _etc_ssh_sshd_config_d_has_parameter.files }}'
    when: _etc_ssh_sshd_config_d_has_parameter.matched

  - name: Insert correct line to /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
    lineinfile:
      path: /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
      create: true
      regexp: (?i)^\s*{{ "LogLevel"| regex_escape }}\s+
      line: LogLevel INFO
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90813-7
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_loglevel_info
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of LogLevel setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_set_loglevel_info:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_set_loglevel_info:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the value of LogLevel setting in the /etc/ssh/sshd_config.d file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_set_loglevel_info_config_dir:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_set_loglevel_info_config_dir:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config.d</td><td>.*\.conf$</td><td>^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" id="rule-detail-idm46361749697600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH authentication attempt limitxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries mediumCCE-90810-3 </div><div class="panel-heading"><h3 class="panel-title">Set SSH authentication attempt limit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_max_auth_tries:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90810-3">CCE-90810-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="">0421</a>, <a href="">0422</a>, <a href="">0431</a>, <a href="">0974</a>, <a href="">1173</a>, <a href="">1401</a>, <a href="">1504</a>, <a href="">1505</a>, <a href="">1546</a>, <a href="">1557</a>, <a href="">1558</a>, <a href="">1559</a>, <a href="">1560</a>, <a href="">1561</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.16</a></p></td></tr><tr><td>Description</td><td><div class="description">The <code>MaxAuthTries</code> parameter specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
to set MaxAUthTries edit <code>/etc/ssh/sshd_config</code> as follows:
<pre>MaxAuthTries <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value">5</abbr></pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
brute force attacks to the SSH server.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129956464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129956464"><pre><code># Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; then

sshd_max_auth_tries_value='<abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value">5</abbr>'


if [ -e "/etc/ssh/sshd_config" ] ; then
    
    LC_ALL=C sed -i "/^\s*MaxAuthTries\s\+/Id" "/etc/ssh/sshd_config"
else
    touch "/etc/ssh/sshd_config"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/ssh/sshd_config"

cp "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bak"
# Insert before the line matching the regex '^Match'.
line_number="$(LC_ALL=C grep -n "^Match" "/etc/ssh/sshd_config.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^Match', insert at
    # the end of the file.
    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" &gt;&gt; "/etc/ssh/sshd_config"
else
    head -n "$(( line_number - 1 ))" "/etc/ssh/sshd_config.bak" &gt; "/etc/ssh/sshd_config"
    printf '%s\n' "MaxAuthTries $sshd_max_auth_tries_value" &gt;&gt; "/etc/ssh/sshd_config"
    tail -n "+$(( line_number ))" "/etc/ssh/sshd_config.bak" &gt;&gt; "/etc/ssh/sshd_config"
fi
# Clean up after ourselves.
rm "/etc/ssh/sshd_config.bak"

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129953280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129953280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value sshd_max_auth_tries_value # promote to variable
  set_fact:
    sshd_max_auth_tries_value: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value">5</abbr>
  tags:
    - always

- name: Set SSH authentication attempt limit
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxAuthTries\s+
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: false
      regexp: (?i)^\s*MaxAuthTries\s+
      state: absent
    when: dupes.found is defined and dupes.found &gt; 1

  - name: Insert correct line to /etc/ssh/sshd_config
    lineinfile:
      path: /etc/ssh/sshd_config
      create: true
      regexp: (?i)^\s*MaxAuthTries\s+
      line: MaxAuthTries {{ sshd_max_auth_tries_value }}
      state: present
      insertbefore: ^[#\s]*Match
      validate: /usr/sbin/sshd -t -f %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-90810-3
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_set_max_auth_tries
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">maxauthtries is configured</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_max_auth_tries:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sshd_max_auth_tries:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration" id="rule-detail-idm46361749686576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Distribute the SSH Server configuration to multiple files in a config directory.xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration mediumCCE-87681-3 </div><div class="panel-heading"><h3 class="panel-title">Distribute the SSH Server configuration to multiple files in a config directory.</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_use_directory_configuration</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_use_directory_configuration:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-87681-3">CCE-87681-3</abbr></p></td></tr><tr><td>Description</td><td><div class="description">Make sure to have the <code>Include /etc/ssh/sshd_config.d/*.conf</code> line in the <code>/etc/ssh/sshd_config</code> file.
Ideally, don't have any active configuration directives in that file, and distribute the service configuration
to several files in the <code>/etc/ssh/sshd_config.d</code> directory.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">This form of distributed configuration is considered as a good practice, and as other sshd rules assume that directives in files in the <code>/etc/ssh/sshd_config.d</code> config directory are effective, there has to be a rule that ensures this.
Aside from that, having multiple configuration files makes the SSH Server configuration changes easier to partition according to the reason that they were introduced, and therefore it should help to perform merges of hardening updates.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>29.el9_2</td><td>8.7p1</td><td>0:8.7p1-29.el9_2</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.7p1-29.el9_2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the presence of 'Include /etc/ssh/sshd_config.d/*.conf' setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_includes_config_files:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>Include /etc/ssh/sshd_config.d/*.conf
</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of match setting in the /etc/ssh/sshd_config file</span>Â 
        <span class="label label-default">oval:ssg-test_sshd_use_directory_configuration_default_not_overriden:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_use_directory_configuration_default_not_overriden:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)match(?-i)\s+\S+</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" id="rule-detail-idm46361749826528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify Permissions on SSH Server Private *_key Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key mediumCCE-90820-2 </div><div class="panel-heading"><h3 class="panel-title">Verify Permissions on SSH Server Private *_key Key Files</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-file_permissions_sshd_private_key:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-90820-2">CCE-90820-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">18</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.isaca.org/resources/cobit">APO01.06</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/red_hat_linux/">5.2.2</a></p></td></tr><tr><td>Description</td><td><div class="description">SSH server private keys - files that match the <code>/etc/ssh/*_key</code> glob, have to have restricted permissions.
If those files are owned by the <code>root</code> user and the <code>root</code> group, they have to have the <code>0600</code> permission or stricter.
If they are owned by the <code>root</code> user, but by a dedicated group <code>ssh_keys</code>, they can have the <code>0640</code> permission or stricter.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">If an unauthorized user obtains the private SSH host key file, the host could be
impersonated.</div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">No keys that have unsafe ownership/permissions combination exist</span>Â 
        <span class="label label-default">oval:ssg-test_no_offending_keys:tst:1</span>Â 
        <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="All keys in /etc/ssh with unsafe ownership/permission combination">oval:ssg-object_offending_keys:obj:1</abbr></strong> of type
                <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Filter</th><th>Filter</th><th>Filter</th></tr></thead><tbody><tr><td>/etc/ssh</td><td>.*_key$</td><td>oval:ssg-exclude_symlinks__sshd_private_key:ste:1</td><td>oval:ssg-filter_ssh_key_owner_root:ste:1</td><td>oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_package_usbguard_installed" id="rule-detail-idm46361749660176"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-84203-9 </div><div class="panel-heading"><h3 class="panel-title">Install usbguard Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_usbguard_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_usbguard_installed:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84203-9">CCE-84203-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-001958</a>, <a href="">1418</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</a></p></td></tr><tr><td>Description</td><td><div class="description">
The <code>usbguard</code> package can be installed with the following command:
<pre>
$ sudo dnf install usbguard</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><code>usbguard</code> is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129578880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129578880"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if ! grep -q s390x /proc/sys/kernel/osrelease; then

if ! rpm -q --quiet "usbguard" ; then
    dnf install -y "usbguard"
fi

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129576512" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129576512"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure usbguard is installed
  package:
    name: usbguard
    state: present
  when: ansible_architecture != "s390x"
  tags:
  - CCE-84203-9
  - NIST-800-53-CM-8(3)
  - NIST-800-53-IA-3
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_usbguard_installed
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129574192" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129574192"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_usbguard

class install_usbguard {
  package { 'usbguard':
    ensure =&gt; 'installed',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129572016" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129572016"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
package --add=usbguard
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129570000" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129570000"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0
  extensions:
    - usbguard
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129568864" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129568864"><pre><code>
[[packages]]
name = "usbguard"
version = "*"
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package usbguard is installed</span>Â 
        <span class="label label-default">oval:ssg-test_package_usbguard_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_usbguard_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>usbguard</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_service_usbguard_enabled" id="rule-detail-idm46361749656176"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-84205-4 </div><div class="panel-heading"><h3 class="panel-title">Enable the USBGuard Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_usbguard_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_usbguard_enabled:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84205-4">CCE-84205-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="https://public.cyber.mil/stigs/cci/">CCI-000416</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001958</a>, <a href="">1418</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</a></p></td></tr><tr><td>Description</td><td><div class="description">The USBGuard service should be enabled.

The <code>usbguard</code> service can be enabled with the following command:
<pre>$ sudo systemctl enable usbguard.service</pre></div></td></tr><tr><td>Rationale</td><td><div class="rationale">The <code>usbguard</code> service must be running in order to
enforce the USB device authorization policy for all USB devices.</div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129554624" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129554624"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code># Remediation is applicable only in certain platforms
if ! grep -q s390x /proc/sys/kernel/osrelease &amp;&amp; { [ ! -f /.dockerenv ] &amp;&amp; [ ! -f /run/.containerenv ]; }; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'usbguard.service'
"$SYSTEMCTL_EXEC" start 'usbguard.service'
"$SYSTEMCTL_EXEC" enable 'usbguard.service'

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129551808" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129551808"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service usbguard
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable service usbguard
    service:
      name: usbguard
      enabled: 'yes'
      state: started
      masked: 'no'
    when:
    - '"usbguard" in ansible_facts.packages'
  when:
  - ansible_architecture != "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-84205-4
  - NIST-800-53-CM-8(3)(a)
  - NIST-800-53-IA-3
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_usbguard_enabled
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129549168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129549168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_usbguard

class enable_usbguard {
  service {'usbguard':
    enable =&gt; true,
    ensure =&gt; 'running',
  }
}
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129546992" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129546992"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - name: usbguard.service
        enabled: true
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129545696" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129545696"><pre><code>
[customizations.services]
enabled = ["usbguard"]
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package usbguard is installed</span>Â 
        <span class="label label-default">oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1</abbr></strong> of type
                <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>usbguard</td></tr></tbody></table><h4><span class="label label-primary">Test that the usbguard service is running</span>Â 
        <span class="label label-default">oval:ssg-test_service_running_usbguard:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of usbguard">oval:ssg-obj_service_running_usbguard:obj:1</abbr></strong> of type
                <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^usbguard\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_usbguard:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â 
        <span class="label label-default">oval:ssg-test_multi_user_wants_usbguard_socket:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>sysinit.target</td><td>veritysetup.target</td><td>systemd-pcrphase-sysinit.service</td><td>systemd-network-generator.service</td><td>systemd-pcrphase.service</td><td>sys-kernel-tracing.mount</td><td>nis-domainname.service</td><td>systemd-journald.service</td><td>systemd-binfmt.service</td><td>systemd-tmpfiles-setup.service</td><td>kmod-static-nodes.service</td><td>systemd-udevd.service</td><td>systemd-sysctl.service</td><td>sys-kernel-config.mount</td><td>cryptsetup.target</td><td>systemd-sysusers.service</td><td>selinux-autorelabel-mark.service</td><td>dracut-shutdown.service</td><td>integritysetup.target</td><td>systemd-repart.service</td><td>systemd-tmpfiles-setup-dev.service</td><td>systemd-modules-load.service</td><td>systemd-update-utmp.service</td><td>systemd-firstboot.service</td><td>systemd-udev-trigger.service</td><td>swap.target</td><td>systemd-boot-update.service</td><td>systemd-boot-system-token.service</td><td>systemd-random-seed.service</td><td>dev-hugepages.mount</td><td>dev-mqueue.mount</td><td>systemd-journal-catalog-update.service</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>local-fs.target</td><td>boot-efi.mount</td><td>-.mount</td><td>boot.mount</td><td>systemd-remount-fs.service</td><td>efi.automount</td><td>systemd-hwdb-update.service</td><td>systemd-journal-flush.service</td><td>sys-fs-fuse-connections.mount</td><td>systemd-ask-password-console.path</td><td>systemd-update-done.service</td><td>proc-sys-fs-binfmt_misc.automount</td><td>sys-kernel-debug.mount</td><td>timers.target</td><td>logrotate.timer</td><td>systemd-tmpfiles-clean.timer</td><td>dnf-makecache.timer</td><td>slices.target</td><td>system.slice</td><td>-.slice</td><td>microcode.service</td><td>sockets.target</td><td>systemd-journald.socket</td><td>systemd-udevd-control.socket</td><td>sssd-kcm.socket</td><td>systemd-coredump.socket</td><td>rpcbind.socket</td><td>systemd-journald-dev-log.socket</td><td>dbus.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-kernel.socket</td><td>paths.target</td><td>chronyd.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-init.service</td><td>cloud-final.service</td><td>systemd-logind.service</td><td>systemd-ask-password-wall.path</td><td>auditd.service</td><td>sssd.service</td><td>rpcbind.service</td><td>sshd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>remote-fs-pre.target</td><td>auth-rpcgss-module.service</td><td>rhsmcertd.service</td><td>insights-client-boot.service</td><td>irqbalance.service</td><td>remote-fs.target</td><td>rsyslog.service</td><td>systemd-user-sessions.service</td><td>systemd-update-utmp-runlevel.service</td><td>crond.service</td><td>getty.target</td><td>getty@tty1.service</td><td>serial-getty@ttyS0.service</td><td>NetworkManager.service</td><td>tuned.service</td><td>kdump.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" id="rule-detail-idm46361749646800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Authorize Human Interface Devices and USB hubs in USBGuard daemonxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub mediumCCE-84210-4 </div><div class="panel-heading"><h3 class="panel-title">Authorize Human Interface Devices and USB hubs in USBGuard daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-usbguard_allow_hid_and_hub:def:1</td></tr><tr><td>Time</td><td>2023-07-18T12:28:10+10:00</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â 
            <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-84210-4">CCE-84210-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</a></p></td></tr><tr><td>Description</td><td><div class="description">To allow authorization of USB devices combining human interface device and hub capabilities
by USBGuard daemon,
add the line
<code>allow with-interface match-all { 03:*:* 09:00:* }</code>
to <code>/etc/usbguard/rules.conf</code>.</div></td></tr><tr><td>Rationale</td><td><div class="rationale">Without allowing Human Interface Devices, it might not be possible
to interact with the system. Without allowing hubs, it might not be possible to use any
USB devices on the system.</div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â 
                                This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.</div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129480288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br><div class="panel-collapse collapse" id="idm46362129480288"><pre><code># Remediation is applicable only in certain platforms
if ! grep -q s390x /proc/sys/kernel/osrelease; then

echo "allow with-interface match-all { 03:*:* 09:00:* }" &gt;&gt; /etc/usbguard/rules.conf

else
    &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
fi
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129478992" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129478992"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>false</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: allow HID devices and hubs
  lineinfile:
    path: /etc/usbguard/rules.conf
    create: true
    line: allow with-interface match-all { 03:*:* 09:00:* }
    state: present
  when: ansible_architecture != "s390x"
  tags:
  - CCE-84210-4
  - NIST-800-53-CM-8(3)
  - NIST-800-53-IA-3
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - usbguard_allow_hid_and_hub
</code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm46362129476576" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet â²</a><br><div class="panel-collapse collapse" id="idm46362129476576"><pre><code>---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  annotations:
    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }}
        mode: 0600
        path: /etc/usbguard/rules.d/75-hid-and-hub.conf
        overwrite: true
</code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval0'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists</span>Â 
        <span class="label label-default">oval:ssg-test_usbguard_rules_nonempty:tst:1</span>Â 
        <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_usbguard_rules_nonempty:obj:1</abbr></strong> of type
                <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/usbguard/(rules|rules\.d/.*)\.conf$</td><td>^.*\S+.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><a href="#result-details" class="btn btn-info noprint">Scroll back to the first rule</a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit">
                Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.3.7</p></div></footer></body></html>

Actions: View

Attachments on bug 2223471: 1976292