From 60c795dd3c032437c95c75f87975ded6a4f5d861 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Fri, 23 Nov 2018 16:24:51 -0500 Subject: [PATCH] Updated controls to use the new impact and sub-sections capability * updated all impacts to use text based values * updated check tags to use `desc 'check',` sub-sections * updated fix tags to use `desc 'fix',` sub-sections Fixes #2 Signed-off-by: Aaron Lippold --- controls/V-38437.rb | 7 +++---- controls/V-38438.rb | 7 +++---- controls/V-38439.rb | 7 +++---- controls/V-38443.rb | 7 +++---- controls/V-38444.rb | 7 +++---- controls/V-38445.rb | 7 +++---- controls/V-38446.rb | 6 +++--- controls/V-38447.rb | 6 +++--- controls/V-38448.rb | 6 +++--- controls/V-38449.rb | 6 +++--- controls/V-38450.rb | 6 +++--- controls/V-38451.rb | 6 +++--- controls/V-38452.rb | 6 +++--- controls/V-38453.rb | 6 +++--- controls/V-38454.rb | 6 +++--- controls/V-38455.rb | 6 +++--- controls/V-38456.rb | 6 +++--- controls/V-38457.rb | 6 +++--- controls/V-38458.rb | 6 +++--- controls/V-38459.rb | 6 +++--- controls/V-38460.rb | 6 +++--- controls/V-38461.rb | 6 +++--- controls/V-38463.rb | 6 +++--- controls/V-38464.rb | 6 +++--- controls/V-38465.rb | 6 +++--- controls/V-38466.rb | 6 +++--- controls/V-38467.rb | 6 +++--- controls/V-38468.rb | 6 +++--- controls/V-38469.rb | 6 +++--- controls/V-38470.rb | 6 +++--- controls/V-38471.rb | 6 +++--- controls/V-38472.rb | 6 +++--- controls/V-38473.rb | 6 +++--- controls/V-38474.rb | 8 ++++---- controls/V-38475.rb | 6 +++--- controls/V-38476.rb | 6 +++--- controls/V-38477.rb | 6 +++--- controls/V-38478.rb | 6 +++--- controls/V-38479.rb | 6 +++--- controls/V-38480.rb | 6 +++--- controls/V-38481.rb | 6 +++--- controls/V-38482.rb | 6 +++--- controls/V-38483.rb | 6 +++--- controls/V-38484.rb | 6 +++--- controls/V-38486.rb | 6 +++--- controls/V-38487.rb | 6 +++--- controls/V-38488.rb | 6 +++--- controls/V-38489.rb | 6 +++--- controls/V-38490.rb | 6 +++--- controls/V-38491.rb | 6 +++--- controls/V-38492.rb | 6 +++--- controls/V-38493.rb | 6 +++--- controls/V-38494.rb | 6 +++--- controls/V-38495.rb | 6 +++--- controls/V-38496.rb | 6 +++--- controls/V-38497.rb | 6 +++--- controls/V-38498.rb | 6 +++--- controls/V-38499.rb | 6 +++--- controls/V-38500.rb | 6 +++--- controls/V-38501.rb | 6 +++--- controls/V-38502.rb | 6 +++--- controls/V-38503.rb | 6 +++--- controls/V-38504.rb | 6 +++--- controls/V-38511.rb | 6 +++--- controls/V-38512.rb | 6 +++--- controls/V-38513.rb | 6 +++--- controls/V-38514.rb | 6 +++--- controls/V-38515.rb | 6 +++--- controls/V-38516.rb | 6 +++--- controls/V-38517.rb | 6 +++--- controls/V-38518.rb | 6 +++--- controls/V-38519.rb | 6 +++--- controls/V-38520.rb | 6 +++--- controls/V-38521.rb | 6 +++--- controls/V-38522.rb | 6 +++--- controls/V-38523.rb | 6 +++--- controls/V-38524.rb | 6 +++--- controls/V-38525.rb | 6 +++--- controls/V-38526.rb | 6 +++--- controls/V-38527.rb | 6 +++--- controls/V-38528.rb | 6 +++--- controls/V-38529.rb | 6 +++--- controls/V-38530.rb | 6 +++--- controls/V-38531.rb | 6 +++--- controls/V-38532.rb | 6 +++--- controls/V-38533.rb | 6 +++--- controls/V-38534.rb | 6 +++--- controls/V-38535.rb | 6 +++--- controls/V-38536.rb | 6 +++--- controls/V-38537.rb | 6 +++--- controls/V-38538.rb | 6 +++--- controls/V-38539.rb | 6 +++--- controls/V-38540.rb | 6 +++--- controls/V-38541.rb | 6 +++--- controls/V-38542.rb | 6 +++--- controls/V-38543.rb | 6 +++--- controls/V-38544.rb | 6 +++--- controls/V-38545.rb | 6 +++--- controls/V-38547.rb | 6 +++--- controls/V-38548.rb | 6 +++--- controls/V-38549.rb | 6 +++--- controls/V-38550.rb | 6 +++--- controls/V-38551.rb | 6 +++--- controls/V-38552.rb | 6 +++--- controls/V-38553.rb | 6 +++--- controls/V-38554.rb | 6 +++--- controls/V-38555.rb | 6 +++--- controls/V-38556.rb | 6 +++--- controls/V-38557.rb | 6 +++--- controls/V-38558.rb | 6 +++--- controls/V-38559.rb | 6 +++--- controls/V-38560.rb | 6 +++--- controls/V-38561.rb | 6 +++--- controls/V-38563.rb | 6 +++--- controls/V-38565.rb | 6 +++--- controls/V-38566.rb | 6 +++--- controls/V-38567.rb | 6 +++--- controls/V-38568.rb | 6 +++--- controls/V-38569.rb | 6 +++--- controls/V-38570.rb | 6 +++--- controls/V-38571.rb | 6 +++--- controls/V-38572.rb | 6 +++--- controls/V-38573.rb | 6 +++--- controls/V-38574.rb | 6 +++--- controls/V-38575.rb | 6 +++--- controls/V-38576.rb | 6 +++--- controls/V-38577.rb | 6 +++--- controls/V-38578.rb | 6 +++--- controls/V-38579.rb | 6 +++--- controls/V-38580.rb | 6 +++--- controls/V-38581.rb | 6 +++--- controls/V-38582.rb | 6 +++--- controls/V-38583.rb | 6 +++--- controls/V-38584.rb | 6 +++--- controls/V-38585.rb | 6 +++--- controls/V-38586.rb | 6 +++--- controls/V-38587.rb | 6 +++--- controls/V-38588.rb | 6 +++--- controls/V-38589.rb | 6 +++--- controls/V-38590.rb | 6 +++--- controls/V-38591.rb | 6 +++--- controls/V-38592.rb | 6 +++--- controls/V-38593.rb | 6 +++--- controls/V-38594.rb | 6 +++--- controls/V-38595.rb | 6 +++--- controls/V-38596.rb | 6 +++--- controls/V-38597.rb | 6 +++--- controls/V-38598.rb | 6 +++--- controls/V-38599.rb | 8 ++++---- controls/V-38600.rb | 6 +++--- controls/V-38601.rb | 6 +++--- controls/V-38602.rb | 6 +++--- controls/V-38603.rb | 6 +++--- controls/V-38604.rb | 6 +++--- controls/V-38605.rb | 6 +++--- controls/V-38606.rb | 6 +++--- controls/V-38607.rb | 6 +++--- controls/V-38608.rb | 6 +++--- controls/V-38609.rb | 6 +++--- controls/V-38610.rb | 6 +++--- controls/V-38611.rb | 6 +++--- controls/V-38612.rb | 6 +++--- controls/V-38613.rb | 6 +++--- controls/V-38614.rb | 6 +++--- controls/V-38615.rb | 6 +++--- controls/V-38616.rb | 6 +++--- controls/V-38617.rb | 6 +++--- controls/V-38618.rb | 6 +++--- controls/V-38619.rb | 6 +++--- controls/V-38620.rb | 6 +++--- controls/V-38621.rb | 6 +++--- controls/V-38622.rb | 6 +++--- controls/V-38623.rb | 6 +++--- controls/V-38624.rb | 6 +++--- controls/V-38627.rb | 6 +++--- controls/V-38628.rb | 6 +++--- controls/V-38629.rb | 8 ++++---- controls/V-38630.rb | 8 ++++---- controls/V-38631.rb | 6 +++--- controls/V-38632.rb | 6 +++--- controls/V-38633.rb | 6 +++--- controls/V-38634.rb | 6 +++--- controls/V-38636.rb | 6 +++--- controls/V-38637.rb | 6 +++--- controls/V-38638.rb | 8 ++++---- controls/V-38639.rb | 8 ++++---- controls/V-38640.rb | 6 +++--- controls/V-38641.rb | 6 +++--- controls/V-38642.rb | 6 +++--- controls/V-38643.rb | 6 +++--- controls/V-38644.rb | 6 +++--- controls/V-38645.rb | 6 +++--- controls/V-38646.rb | 6 +++--- controls/V-38647.rb | 6 +++--- controls/V-38648.rb | 6 +++--- controls/V-38649.rb | 6 +++--- controls/V-38650.rb | 6 +++--- controls/V-38651.rb | 6 +++--- controls/V-38652.rb | 6 +++--- controls/V-38653.rb | 6 +++--- controls/V-38654.rb | 6 +++--- controls/V-38655.rb | 6 +++--- controls/V-38656.rb | 6 +++--- controls/V-38657.rb | 8 ++++---- controls/V-38658.rb | 6 +++--- controls/V-38659.rb | 6 +++--- controls/V-38660.rb | 6 +++--- controls/V-38661.rb | 6 +++--- controls/V-38662.rb | 6 +++--- controls/V-38663.rb | 6 +++--- controls/V-38664.rb | 6 +++--- controls/V-38665.rb | 6 +++--- controls/V-38667.rb | 6 +++--- controls/V-38668.rb | 6 +++--- controls/V-38669.rb | 6 +++--- controls/V-38670.rb | 6 +++--- controls/V-38671.rb | 6 +++--- controls/V-38672.rb | 6 +++--- controls/V-38673.rb | 6 +++--- controls/V-38674.rb | 6 +++--- controls/V-38675.rb | 6 +++--- controls/V-38676.rb | 6 +++--- controls/V-38677.rb | 6 +++--- controls/V-38678.rb | 6 +++--- controls/V-38679.rb | 6 +++--- controls/V-38680.rb | 6 +++--- controls/V-38681.rb | 6 +++--- controls/V-38682.rb | 7 +++---- controls/V-38683.rb | 6 +++--- controls/V-38684.rb | 6 +++--- controls/V-38685.rb | 6 +++--- controls/V-38686.rb | 6 +++--- controls/V-38687.rb | 6 +++--- controls/V-38688.rb | 8 ++++---- controls/V-38689.rb | 8 ++++---- controls/V-38690.rb | 6 +++--- controls/V-38691.rb | 6 +++--- controls/V-38692.rb | 6 +++--- controls/V-38693.rb | 6 +++--- controls/V-38694.rb | 6 +++--- controls/V-38695.rb | 6 +++--- controls/V-38696.rb | 6 +++--- controls/V-38697.rb | 6 +++--- controls/V-38698.rb | 6 +++--- controls/V-38699.rb | 6 +++--- controls/V-38700.rb | 6 +++--- controls/V-38701.rb | 6 +++--- controls/V-38702.rb | 6 +++--- controls/V-43150.rb | 8 ++++---- controls/V-51337.rb | 6 +++--- controls/V-51363.rb | 6 +++--- controls/V-51369.rb | 6 +++--- controls/V-51379.rb | 6 +++--- controls/V-51391.rb | 6 +++--- controls/V-51875.rb | 6 +++--- controls/V-54381.rb | 6 +++--- controls/V-57569.rb | 6 +++--- controls/V-58901.rb | 6 +++--- controls/V-72817.rb | 6 +++--- controls/V-81441.rb | 6 +++--- controls/V-81443.rb | 6 +++--- controls/V-81445.rb | 6 +++--- controls/V-81447.rb | 6 +++--- controls/V-81449.rb | 6 +++--- 264 files changed, 802 insertions(+), 809 deletions(-) diff --git a/controls/V-38437.rb b/controls/V-38437.rb index fb132a7..78699c3 100644 --- a/controls/V-38437.rb +++ b/controls/V-38437.rb @@ -13,7 +13,7 @@ if NFS is required, it is almost always possible to configure filesystem mounts statically by editing \"/etc/fstab\" rather than relying on the automounter. " - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38437" tag "rid": "SV-50237r1_rule" @@ -31,7 +31,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the \"autofs\" service is disabled, run the following + desc 'check', "To verify the \"autofs\" service is disabled, run the following command: chkconfig --list autofs @@ -45,7 +45,7 @@ # service autofs status If the autofs service is enabled or running, this is a finding." - tag "fix": "If the \"autofs\" service is not needed to dynamically mount NFS + desc 'fix', "If the \"autofs\" service is not needed to dynamically mount NFS filesystems or removable media, disable the service for all runlevels: # chkconfig --level 0123456 autofs off @@ -76,4 +76,3 @@ it { should_not be_enabled } end end - diff --git a/controls/V-38438.rb b/controls/V-38438.rb index e732b7a..faaa444 100644 --- a/controls/V-38438.rb +++ b/controls/V-38438.rb @@ -4,7 +4,7 @@ indicates whether its activities can be audited. Although \"auditd\" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000062" tag "gid": "V-38438" tag "rid": "SV-50238r4_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect the kernel boot arguments (which follow the word + desc 'check', "Inspect the kernel boot arguments (which follow the word \"kernel\") in \"/boot/grub/grub.conf\". If they include \"audit=1\", then auditing is enabled at boot time. @@ -31,7 +31,7 @@ If the system uses UEFI inspect the kernel boot arguments (which follow the word \"kernel\") in \"/boot/efi/EFI/redhat/grub.conf\". If they include \"audit=1\", then auditing is enabled at boot time." - tag "fix": "To ensure all processes can be audited, even those which start + desc 'fix', "To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument \"audit=1\" to the kernel line in \"/boot/grub/grub.conf\" or \"/boot/efi/EFI/redhat/grub.conf\", in the manner below: @@ -50,4 +50,3 @@ end end end - diff --git a/controls/V-38439.rb b/controls/V-38439.rb index 9a348e2..f4bfa31 100644 --- a/controls/V-38439.rb +++ b/controls/V-38439.rb @@ -6,7 +6,7 @@ and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000001" tag "gid": "V-38439" tag "rid": "SV-50239r1_rule" @@ -24,12 +24,12 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Interview the SA to determine if there is an automated system + desc 'check', "Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system. If there is not, this is a finding." - tag "fix": "Implement an automated system for managing user accounts that + desc 'fix', "Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos." @@ -38,4 +38,3 @@ skip "This control must be reviewed manually" end end - diff --git a/controls/V-38443.rb b/controls/V-38443.rb index da82487..817f217 100644 --- a/controls/V-38443.rb +++ b/controls/V-38443.rb @@ -2,7 +2,7 @@ title "The /etc/gshadow file must be owned by root." desc "The \"/etc/gshadow\" file contains group password hashes. Protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38443" tag "rid": "SV-50243r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the ownership of \"/etc/gshadow\", run the command: + desc 'check', "To check the ownership of \"/etc/gshadow\", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following owner: \"root\" If it does not, this is a finding." - tag "fix": "To properly set the owner of \"/etc/gshadow\", run the command: + desc 'fix', "To properly set the owner of \"/etc/gshadow\", run the command: # chown root /etc/gshadow" @@ -38,4 +38,3 @@ its("uid") { should cmp 0 } end end - diff --git a/controls/V-38444.rb b/controls/V-38444.rb index 57450ac..58763f1 100644 --- a/controls/V-38444.rb +++ b/controls/V-38444.rb @@ -5,7 +5,7 @@ applicable rules in the table are examined for a match. Setting the default policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000231" tag "gid": "V-38444" tag "rid": "SV-50244r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If IPv6 is disabled, this is not applicable. + desc 'check', "If IPv6 is disabled, this is not applicable. Inspect the file \"/etc/sysconfig/ip6tables\" to determine the default policy for the INPUT chain. It should be set to DROP: @@ -32,7 +32,7 @@ If the default policy for the INPUT chain is not set to DROP, this is a finding. " - tag "fix": "To set the default policy to DROP (instead of ACCEPT) for the + desc 'fix', "To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \"/etc/sysconfig/ip6tables\": @@ -46,4 +46,3 @@ its('stdout.strip') { should match %r{Chain INPUT \(policy DROP} } end end - diff --git a/controls/V-38445.rb b/controls/V-38445.rb index 6a2c26d..03774ca 100644 --- a/controls/V-38445.rb +++ b/controls/V-38445.rb @@ -2,7 +2,7 @@ title "Audit log files must be group-owned by root." desc "If non-privileged users can write to audit logs, audit trails can be modified or destroyed." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000057" tag "gid": "V-38445" tag "rid": "SV-50245r2_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to check the group owner of the + desc 'check', "Run the following command to check the group owner of the system audit logs: grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n Audit logs must be group-owned by root. If they are not, this is a finding." - tag "fix": "Change the group owner of the audit log files with the following + desc 'fix', "Change the group owner of the audit log files with the following command: # chgrp root [audit_file]" @@ -36,4 +36,3 @@ its('stdout.lines') { should all match %{^root:} } end end - diff --git a/controls/V-38446.rb b/controls/V-38446.rb index bb27063..555ecaa 100644 --- a/controls/V-38446.rb +++ b/controls/V-38446.rb @@ -4,7 +4,7 @@ desc "A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38446" tag "rid": "SV-50246r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Find the list of alias maps used by the Postfix mail server: + desc 'check', "Find the list of alias maps used by the Postfix mail server: # postconf alias_maps @@ -32,7 +32,7 @@ If there are no aliases configured for root that forward to a monitored email address, this is a finding." - tag "fix": "Set up an alias for root that forwards to a monitored email + desc 'fix', "Set up an alias for root that forwards to a monitored email address: # echo \"root: @mail.mil\" >> /etc/aliases diff --git a/controls/V-38447.rb b/controls/V-38447.rb index 0706095..c0062b6 100644 --- a/controls/V-38447.rb +++ b/controls/V-38447.rb @@ -4,7 +4,7 @@ desc "The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38447" tag "rid": "SV-50247r4_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which files on the system have + desc 'check', "The following command will list which files on the system have file hashes different from what is expected by the RPM database: # rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"' @@ -33,7 +33,7 @@ If there are changes to system binaries and they are not documented with the ISSO, this is a finding. " - tag "fix": "The RPM package management system can check the hashes of + desc 'fix', "The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: diff --git a/controls/V-38448.rb b/controls/V-38448.rb index 116ba0f..a82aecc 100644 --- a/controls/V-38448.rb +++ b/controls/V-38448.rb @@ -2,7 +2,7 @@ title "The /etc/gshadow file must be group-owned by root." desc "The \"/etc/gshadow\" file contains group password hashes. Protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38448" tag "rid": "SV-50248r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the group ownership of \"/etc/gshadow\", run the + desc 'check', "To check the group ownership of \"/etc/gshadow\", run the command: $ ls -l /etc/gshadow @@ -28,7 +28,7 @@ If properly configured, the output should indicate the following group-owner. \"root\" If it does not, this is a finding." - tag "fix": "To properly set the group owner of \"/etc/gshadow\", run the + desc 'fix', "To properly set the group owner of \"/etc/gshadow\", run the command: # chgrp root /etc/gshadow" diff --git a/controls/V-38449.rb b/controls/V-38449.rb index 52ee652..ca85428 100644 --- a/controls/V-38449.rb +++ b/controls/V-38449.rb @@ -2,7 +2,7 @@ title "The /etc/gshadow file must have mode 0000." desc "The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38449" tag "rid": "SV-50249r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the permissions of \"/etc/gshadow\", run the command: + desc 'check', "To check the permissions of \"/etc/gshadow\", run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: \"----------\" If it does not, this is a finding." - tag "fix": "To properly set the permissions of \"/etc/gshadow\", run the + desc 'fix', "To properly set the permissions of \"/etc/gshadow\", run the command: # chmod 0000 /etc/gshadow" diff --git a/controls/V-38450.rb b/controls/V-38450.rb index 04a8c33..ef7ce18 100644 --- a/controls/V-38450.rb +++ b/controls/V-38450.rb @@ -3,7 +3,7 @@ desc "The \"/etc/passwd\" file contains information about the users that are configured on the system. Protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38450" tag "rid": "SV-50250r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the ownership of \"/etc/passwd\", run the command: + desc 'check', "To check the ownership of \"/etc/passwd\", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following owner: \"root\" If it does not, this is a finding." - tag "fix": "To properly set the owner of \"/etc/passwd\", run the command: + desc 'fix', "To properly set the owner of \"/etc/passwd\", run the command: # chown root /etc/passwd" diff --git a/controls/V-38451.rb b/controls/V-38451.rb index 51f9f17..1575619 100644 --- a/controls/V-38451.rb +++ b/controls/V-38451.rb @@ -3,7 +3,7 @@ desc "The \"/etc/passwd\" file contains information about the users that are configured on the system. Protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38451" tag "rid": "SV-50251r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the group ownership of \"/etc/passwd\", run the + desc 'check', "To check the group ownership of \"/etc/passwd\", run the command: $ ls -l /etc/passwd @@ -29,7 +29,7 @@ If properly configured, the output should indicate the following group-owner. \"root\" If it does not, this is a finding." - tag "fix": "To properly set the group owner of \"/etc/passwd\", run the + desc 'fix', "To properly set the group owner of \"/etc/passwd\", run the command: # chgrp root /etc/passwd" diff --git a/controls/V-38452.rb b/controls/V-38452.rb index 92c4f2b..0170c5d 100644 --- a/controls/V-38452.rb +++ b/controls/V-38452.rb @@ -5,7 +5,7 @@ generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38452" tag "rid": "SV-50252r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which files and directories on + desc 'check', "The following command will list which files and directories on the system have permissions different from what is expected by the RPM database: @@ -40,7 +40,7 @@ If the existing permissions are more permissive than those expected by RPM, this is a finding." - tag "fix": "The RPM package management system can restore file access + desc 'fix', "The RPM package management system can restore file access permissions of package files and directories. The following command will update permissions on files and directories with permissions different from what is expected by the RPM database: diff --git a/controls/V-38453.rb b/controls/V-38453.rb index 73dc6e3..bd76c2b 100644 --- a/controls/V-38453.rb +++ b/controls/V-38453.rb @@ -5,7 +5,7 @@ incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38453" tag "rid": "SV-50253r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which files on the system have + desc 'check', "The following command will list which files on the system have group-ownership different from what is expected by the RPM database: # rpm -Va | grep '^......G' @@ -34,7 +34,7 @@ If any output has not been documented with the ISSO, this is a finding. " - tag "fix": "The RPM package management system can restore group-ownership of + desc 'fix', "The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database: diff --git a/controls/V-38454.rb b/controls/V-38454.rb index 193ffa8..f2daa30 100644 --- a/controls/V-38454.rb +++ b/controls/V-38454.rb @@ -5,7 +5,7 @@ could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38454" tag "rid": "SV-50254r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which files on the system have + desc 'check', "The following command will list which files on the system have ownership different from what is expected by the RPM database: # rpm -Va | grep '^.....U' @@ -34,7 +34,7 @@ If any output has not been documented with the ISSO, this is a finding. " - tag "fix": "The RPM package management system can restore ownership of + desc 'fix', "The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: diff --git a/controls/V-38455.rb b/controls/V-38455.rb index c3f42f3..198573d 100644 --- a/controls/V-38455.rb +++ b/controls/V-38455.rb @@ -3,7 +3,7 @@ desc "The \"/tmp\" partition is used as temporary storage by many programs. Placing \"/tmp\" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38455" tag "rid": "SV-50255r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if \"/tmp\" is on its + desc 'check', "Run the following command to determine if \"/tmp\" is on its own partition or logical volume: $ mount | grep \"on /tmp \" If \"/tmp\" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding." - tag "fix": "The \"/tmp\" directory is a world-writable directory used for + desc 'fix', "The \"/tmp\" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM." diff --git a/controls/V-38456.rb b/controls/V-38456.rb index 44b949c..b44335c 100644 --- a/controls/V-38456.rb +++ b/controls/V-38456.rb @@ -5,7 +5,7 @@ such as daemons or other programs which use it. It is not uncommon for the \"/var\" directory to contain world-writable directories, installed by other software packages." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38456" tag "rid": "SV-50256r1_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if \"/var\" is on its + desc 'check', "Run the following command to determine if \"/var\" is on its own partition or logical volume: $ mount | grep \"on /var \" If \"/var\" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding." - tag "fix": "The \"/var\" directory is used by daemons and other system + desc 'fix', "The \"/var\" directory is used by daemons and other system services to store frequently-changing data. Ensure that \"/var\" has its own partition or logical volume at installation time, or migrate it using LVM." diff --git a/controls/V-38457.rb b/controls/V-38457.rb index 469f6f1..6aab1f9 100644 --- a/controls/V-38457.rb +++ b/controls/V-38457.rb @@ -4,7 +4,7 @@ the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38457" tag "rid": "SV-50257r1_rule" @@ -22,14 +22,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the permissions of \"/etc/passwd\", run the command: + desc 'check', "To check the permissions of \"/etc/passwd\", run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: \"-rw-r--r--\" If it does not, this is a finding." - tag "fix": "To properly set the permissions of \"/etc/passwd\", run the + desc 'fix', "To properly set the permissions of \"/etc/passwd\", run the command: # chmod 0644 /etc/passwd" diff --git a/controls/V-38458.rb b/controls/V-38458.rb index db67e07..96cd059 100644 --- a/controls/V-38458.rb +++ b/controls/V-38458.rb @@ -3,7 +3,7 @@ desc "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38458" tag "rid": "SV-50258r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the ownership of \"/etc/group\", run the command: + desc 'check', "To check the ownership of \"/etc/group\", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following owner: \"root\" If it does not, this is a finding." - tag "fix": "To properly set the owner of \"/etc/group\", run the command: + desc 'fix', "To properly set the owner of \"/etc/group\", run the command: # chown root /etc/group" diff --git a/controls/V-38459.rb b/controls/V-38459.rb index 537a4f2..027b007 100644 --- a/controls/V-38459.rb +++ b/controls/V-38459.rb @@ -3,7 +3,7 @@ desc "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38459" tag "rid": "SV-50259r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the group ownership of \"/etc/group\", run the + desc 'check', "To check the group ownership of \"/etc/group\", run the command: $ ls -l /etc/group @@ -29,7 +29,7 @@ If properly configured, the output should indicate the following group-owner. \"root\" If it does not, this is a finding." - tag "fix": "To properly set the group owner of \"/etc/group\", run the + desc 'fix', "To properly set the group owner of \"/etc/group\", run the command: # chgrp root /etc/group" diff --git a/controls/V-38460.rb b/controls/V-38460.rb index e474ba7..030404f 100644 --- a/controls/V-38460.rb +++ b/controls/V-38460.rb @@ -3,7 +3,7 @@ desc "The \"all_squash\" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000104" tag "gid": "V-38460" tag "rid": "SV-50260r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the NFS server is read-only, in support of unrestricted + desc 'check', "If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable. The related \"root_squash\" option provides protection against remote @@ -34,7 +34,7 @@ If there is output, this is a finding." - tag "fix": "Remove any instances of the \"all_squash\" option from the file + desc 'fix', "Remove any instances of the \"all_squash\" option from the file \"/etc/exports\". Restart the NFS daemon for the changes to take effect. # service nfs restart" diff --git a/controls/V-38461.rb b/controls/V-38461.rb index d4fd5f7..cba4faa 100644 --- a/controls/V-38461.rb +++ b/controls/V-38461.rb @@ -3,7 +3,7 @@ desc "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38461" tag "rid": "SV-50261r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the permissions of \"/etc/group\", run the command: + desc 'check', "To check the permissions of \"/etc/group\", run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: \"-rw-r--r--\" If it does not, this is a finding." - tag "fix": "To properly set the permissions of \"/etc/group\", run the + desc 'fix', "To properly set the permissions of \"/etc/group\", run the command: # chmod 644 /etc/group" diff --git a/controls/V-38463.rb b/controls/V-38463.rb index 4dce179..a6d86e4 100644 --- a/controls/V-38463.rb +++ b/controls/V-38463.rb @@ -2,7 +2,7 @@ title "The system must use a separate file system for /var/log." desc "Placing \"/var/log\" in its own partition enables better separation between log files and other files in \"/var/\"." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38463" tag "rid": "SV-50263r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if \"/var/log\" is on + desc 'check', "Run the following command to determine if \"/var/log\" is on its own partition or logical volume: $ mount | grep \"on /var/log \" If \"/var/log\" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding." - tag "fix": "System logs are stored in the \"/var/log\" directory. Ensure that + desc 'fix', "System logs are stored in the \"/var/log\" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM." diff --git a/controls/V-38464.rb b/controls/V-38464.rb index dcb32ad..47eb854 100644 --- a/controls/V-38464.rb +++ b/controls/V-38464.rb @@ -3,7 +3,7 @@ errors on the audit storage volume." desc "Taking appropriate action in case of disk errors will minimize the possibility of losing audit records." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000047" tag "gid": "V-38464" tag "rid": "SV-50264r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: @@ -31,7 +31,7 @@ If the system is configured to \"suspend\" when disk errors occur or \"ignore\" them, this is a finding." - tag "fix": "Edit the file \"/etc/audit/auditd.conf\". Modify the following + desc 'fix', "Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] diff --git a/controls/V-38465.rb b/controls/V-38465.rb index cffa524..adfea9c 100644 --- a/controls/V-38465.rb +++ b/controls/V-38465.rb @@ -4,7 +4,7 @@ space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000259" tag "gid": "V-38465" tag "rid": "SV-50265r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "System-wide shared library files, which are linked to + desc 'check', "System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: @@ -43,7 +43,7 @@ If any of these files (excluding broken symlinks) are group-writable or world-writable, this is a finding." - tag "fix": "System-wide shared library files, which are linked to executables + desc 'fix', "System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: diff --git a/controls/V-38466.rb b/controls/V-38466.rb index a4ded20..bd7c124 100644 --- a/controls/V-38466.rb +++ b/controls/V-38466.rb @@ -3,7 +3,7 @@ desc "Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000259" tag "gid": "V-38466" tag "rid": "SV-50266r4_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "System-wide shared library files, which are linked to + desc 'check', "System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: @@ -47,7 +47,7 @@ If the command returns any results, this is a finding." - tag "fix": "System-wide shared library files, which are linked to executables + desc 'fix', "System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: diff --git a/controls/V-38467.rb b/controls/V-38467.rb index f287c89..89770ad 100644 --- a/controls/V-38467.rb +++ b/controls/V-38467.rb @@ -4,7 +4,7 @@ desc "Placing \"/var/log/audit\" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000044" tag "gid": "V-38467" tag "rid": "SV-50267r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if \"/var/log/audit\" is + desc 'check', "Run the following command to determine if \"/var/log/audit\" is on its own partition or logical volume: $ mount | grep \"on /var/log/audit \" @@ -30,7 +30,7 @@ If \"/var/log/audit\" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding." - tag "fix": "Audit logs are stored in the \"/var/log/audit\" directory. Ensure + desc 'fix', "Audit logs are stored in the \"/var/log/audit\" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon." diff --git a/controls/V-38468.rb b/controls/V-38468.rb index 26b68c9..1ff5b21 100644 --- a/controls/V-38468.rb +++ b/controls/V-38468.rb @@ -3,7 +3,7 @@ volume is full." desc "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000047" tag "gid": "V-38468" tag "rid": "SV-50268r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: @@ -31,7 +31,7 @@ If the system is configured to \"suspend\" when the volume is full or \"ignore\" that it is full, this is a finding." - tag "fix": "The \"auditd\" service can be configured to take an action when + desc 'fix', "The \"auditd\" service can be configured to take an action when disk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [ACTION] appropriately: diff --git a/controls/V-38469.rb b/controls/V-38469.rb index 53a6648..d50f409 100644 --- a/controls/V-38469.rb +++ b/controls/V-38469.rb @@ -3,7 +3,7 @@ desc "System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000259" tag "gid": "V-38469" tag "rid": "SV-50269r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "System executables are stored in the following directories by + desc 'check', "System executables are stored in the following directories by default: /bin @@ -39,7 +39,7 @@ If any system executables are found to be group-writable or world-writable, this is a finding." - tag "fix": "System executables are stored in the following directories by + desc 'fix', "System executables are stored in the following directories by default: /bin diff --git a/controls/V-38470.rb b/controls/V-38470.rb index c2f6d57..dd0584c 100644 --- a/controls/V-38470.rb +++ b/controls/V-38470.rb @@ -3,7 +3,7 @@ storage volume approaches capacity." desc "Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000045" tag "gid": "V-38470" tag "rid": "SV-50270r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: @@ -33,7 +33,7 @@ when disk space is starting to run low, this is a finding. The \"syslog\" option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner." - tag "fix": "The \"auditd\" service can be configured to take an action when + desc 'fix', "The \"auditd\" service can be configured to take an action when disk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [ACTION] appropriately: diff --git a/controls/V-38471.rb b/controls/V-38471.rb index b9c1e70..dc38fdd 100644 --- a/controls/V-38471.rb +++ b/controls/V-38471.rb @@ -4,7 +4,7 @@ to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000043" tag "gid": "V-38471" tag "rid": "SV-50271r1_rule" @@ -22,12 +22,12 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify the audispd plugin is active: + desc 'check', "Verify the audispd plugin is active: # grep active /etc/audisp/plugins.d/syslog.conf If the \"active\" setting is missing or set to \"no\", this is a finding." - tag "fix": "Set the \"active\" line in \"/etc/audisp/plugins.d/syslog.conf\" + desc 'fix', "Set the \"active\" line in \"/etc/audisp/plugins.d/syslog.conf\" to \"yes\". Restart the auditd process. # service auditd restart" diff --git a/controls/V-38472.rb b/controls/V-38472.rb index 9e7be14..b37b800 100644 --- a/controls/V-38472.rb +++ b/controls/V-38472.rb @@ -3,7 +3,7 @@ desc "System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000259" tag "gid": "V-38472" tag "rid": "SV-50272r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "System executables are stored in the following directories by + desc 'check', "System executables are stored in the following directories by default: /bin @@ -39,7 +39,7 @@ If any system executables are found to not be owned by root, this is a finding." - tag "fix": "System executables are stored in the following directories by + desc 'fix', "System executables are stored in the following directories by default: /bin diff --git a/controls/V-38473.rb b/controls/V-38473.rb index d6ac3bb..9bdda0f 100644 --- a/controls/V-38473.rb +++ b/controls/V-38473.rb @@ -3,7 +3,7 @@ desc "Ensuring that \"/home\" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38473" tag "rid": "SV-50273r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if \"/home\" is on its + desc 'check', "Run the following command to determine if \"/home\" is on its own partition or logical volume: $ mount | grep \"on /home \" If \"/home\" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding." - tag "fix": "If user home directories will be stored locally, create a + desc 'fix', "If user home directories will be stored locally, create a separate partition for \"/home\" at installation time (or migrate it later using LVM). If \"/home\" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation diff --git a/controls/V-38474.rb b/controls/V-38474.rb index cd2ae1e..1c86d35 100644 --- a/controls/V-38474.rb +++ b/controls/V-38474.rb @@ -3,7 +3,7 @@ desc "The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000030" tag "gid": "V-38474" tag "rid": "SV-50274r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. Verify the keybindings for the Gnome screensaver: @@ -30,7 +30,7 @@ /apps/gnome_settings_daemon/keybindings/screensaver If no output is visible, this is a finding." - tag "fix": "Run the following command to set the Gnome desktop keybinding for + desc 'fix', "Run the following command to set the Gnome desktop keybinding for locking the screen: # gconftool-2 @@ -47,7 +47,7 @@ its('stdout.strip') { should_not eq '' } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38475.rb b/controls/V-38475.rb index 9dc99ff..6dfc25a 100644 --- a/controls/V-38475.rb +++ b/controls/V-38475.rb @@ -10,7 +10,7 @@ to migrate from a password-based authentication scheme to a stronger one based on PKI (public key infrastructure). " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000078" tag "gid": "V-38475" tag "rid": "SV-50275r3_rule" @@ -28,7 +28,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the minimum password length, run the command: + desc 'check', "To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs @@ -43,7 +43,7 @@ If any results are returned and are not set to \"15\" or greater, this is a finding. " - tag "fix": "To specify password length requirements for new accounts, edit + desc 'fix', "To specify password length requirements for new accounts, edit the file \"/etc/login.defs\" and add or correct the following lines: PASS_MIN_LEN 15 diff --git a/controls/V-38476.rb b/controls/V-38476.rb index 4b95ae0..c237fbf 100644 --- a/controls/V-38476.rb +++ b/controls/V-38476.rb @@ -3,7 +3,7 @@ the integrity of system software." desc "The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat. " - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000090" tag "gid": "V-38476" tag "rid": "SV-50276r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure that the GPG keys are installed, run: + desc 'check', "To ensure that the GPG keys are installed, run: $ rpm -q gpg-pubkey @@ -31,7 +31,7 @@ gpg-pubkey-2fa658e0-45700c69 If the Red Hat GPG Keys are not installed, this is a finding." - tag "fix": "To ensure the system can cryptographically verify base software + desc 'fix', "To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run: diff --git a/controls/V-38477.rb b/controls/V-38477.rb index 895f2f2..d104520 100644 --- a/controls/V-38477.rb +++ b/controls/V-38477.rb @@ -3,7 +3,7 @@ hours." desc "Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000075" tag "gid": "V-38477" tag "rid": "SV-50277r1_rule" @@ -21,13 +21,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the minimum password age, run the command: + desc 'check', "To check the minimum password age, run the command: $ grep PASS_MIN_DAYS /etc/login.defs The DoD requirement is 1. If it is not set to the required value, this is a finding." - tag "fix": "To specify password minimum age for new accounts, edit the file + desc 'fix', "To specify password minimum age for new accounts, edit the file \"/etc/login.defs\" and add or correct the following line, replacing [DAYS] appropriately: diff --git a/controls/V-38478.rb b/controls/V-38478.rb index 7537015..b26fe2a 100644 --- a/controls/V-38478.rb +++ b/controls/V-38478.rb @@ -5,7 +5,7 @@ system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the \"rhnsd\" daemon can remain on." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38478" tag "rid": "SV-50278r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system uses RHN or an RHN Satellite, this is not + desc 'check', "If the system uses RHN or an RHN Satellite, this is not applicable. To check that the \"rhnsd\" service is disabled in system boot configuration, @@ -48,7 +48,7 @@ If the service is running, this is a finding." - tag "fix": "The Red Hat Network service automatically queries Red Hat Network + desc 'fix', "The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The \"rhnsd\" service can be diff --git a/controls/V-38479.rb b/controls/V-38479.rb index 7c4ad08..b7e0d74 100644 --- a/controls/V-38479.rb +++ b/controls/V-38479.rb @@ -5,7 +5,7 @@ of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000076" tag "gid": "V-38479" tag "rid": "SV-50279r1_rule" @@ -23,13 +23,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the maximum password age, run the command: + desc 'check', "To check the maximum password age, run the command: $ grep PASS_MAX_DAYS /etc/login.defs The DoD requirement is 60. If it is not set to the required value, this is a finding." - tag "fix": "To specify password maximum age for new accounts, edit the file + desc 'fix', "To specify password maximum age for new accounts, edit the file \"/etc/login.defs\" and add or correct the following line, replacing [DAYS] appropriately: diff --git a/controls/V-38480.rb b/controls/V-38480.rb index 39b44fc..cc7497d 100644 --- a/controls/V-38480.rb +++ b/controls/V-38480.rb @@ -2,7 +2,7 @@ title "Users must be warned 7 days in advance of password expiration." desc "Setting the password warning age enables users to make the change at a practical time." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38480" tag "rid": "SV-50280r1_rule" @@ -20,13 +20,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the password warning age, run the command: + desc 'check', "To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The DoD requirement is 7. If it is not set to the required value, this is a finding." - tag "fix": "To specify how many days prior to password expiration that a + desc 'fix', "To specify how many days prior to password expiration that a warning will be issued to users, edit the file \"/etc/login.defs\" and add or correct the following line, replacing [DAYS] appropriately: diff --git a/controls/V-38481.rb b/controls/V-38481.rb index d2ad3e5..75910f1 100644 --- a/controls/V-38481.rb +++ b/controls/V-38481.rb @@ -2,7 +2,7 @@ title "System security patches and updates must be installed and up-to-date." desc "Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000191" tag "gid": "V-38481" tag "rid": "SV-50281r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is joined to the Red Hat Network, a Red Hat + desc 'check', "If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: @@ -35,7 +35,7 @@ https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates. If updates are not installed, this is a finding." - tag "fix": "If the system is joined to the Red Hat Network, a Red Hat + desc 'fix', "If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: diff --git a/controls/V-38482.rb b/controls/V-38482.rb index 7e9ffa4..fdc3eba 100644 --- a/controls/V-38482.rb +++ b/controls/V-38482.rb @@ -3,7 +3,7 @@ character." desc "Requiring digits makes password guessing attacks more difficult by ensuring a larger search space." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000071" tag "gid": "V-38482" tag "rid": "SV-50282r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check how many digits are required in a password, run the + desc 'check', "To check how many digits are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -32,7 +32,7 @@ If \"dcredit\" is not found or not set to the required value, this is a finding. " - tag "fix": "The pam_cracklib module's \"dcredit\" parameter controls + desc 'fix', "The pam_cracklib module's \"dcredit\" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each diff --git a/controls/V-38483.rb b/controls/V-38483.rb index 10d5650..58529f0 100644 --- a/controls/V-38483.rb +++ b/controls/V-38483.rb @@ -4,7 +4,7 @@ desc "Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000103" tag "gid": "V-38483" tag "rid": "SV-50283r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine whether \"yum\" is configured to use \"gpgcheck\", + desc 'check', "To determine whether \"yum\" is configured to use \"gpgcheck\", inspect \"/etc/yum.conf\" and ensure the following appears in the \"[main]\" section: @@ -34,7 +34,7 @@ If the \"yum\" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed." - tag "fix": "The \"gpgcheck\" option should be used to ensure checking of an + desc 'fix', "The \"gpgcheck\" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in \"/etc/yum.conf\" in the \"[main]\" section: diff --git a/controls/V-38484.rb b/controls/V-38484.rb index 78239cd..efaa97f 100644 --- a/controls/V-38484.rb +++ b/controls/V-38484.rb @@ -9,7 +9,7 @@ At ssh login, a user must be presented with the last successful login date and time. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000025" tag "gid": "V-38484" tag "rid": "SV-50285r2_rule" @@ -27,14 +27,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify the value associated with the \"PrintLastLog\" keyword + desc 'check', "Verify the value associated with the \"PrintLastLog\" keyword in /etc/ssh/sshd_config: # grep -i \"^PrintLastLog\" /etc/ssh/sshd_config If the \"PrintLastLog\" keyword is not present, this is not a finding. If the value is not set to \"yes\", this is a finding." - tag "fix": "Update the \"PrintLastLog\" keyword to \"yes\" in + desc 'fix', "Update the \"PrintLastLog\" keyword to \"yes\" in /etc/ssh/sshd_config: PrintLastLog yes diff --git a/controls/V-38486.rb b/controls/V-38486.rb index a2c06f6..585d339 100644 --- a/controls/V-38486.rb +++ b/controls/V-38486.rb @@ -8,7 +8,7 @@ information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000100" tag "gid": "V-38486" tag "rid": "SV-50287r1_rule" @@ -26,11 +26,11 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Ask an administrator if a process exists to back up OS data + desc 'check', "Ask an administrator if a process exists to back up OS data from the system, including configuration data. If such a process does not exist, this is a finding." - tag "fix": "Procedures to back up OS data from the system must be established + desc 'fix', "Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available. diff --git a/controls/V-38487.rb b/controls/V-38487.rb index 78cca84..fff5ebc 100644 --- a/controls/V-38487.rb +++ b/controls/V-38487.rb @@ -4,7 +4,7 @@ desc "Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000103" tag "gid": "V-38487" tag "rid": "SV-50288r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine whether \"yum\" has been configured to disable + desc 'check', "To determine whether \"yum\" has been configured to disable \"gpgcheck\" for any repos, inspect all files in \"/etc/yum.repos.d\" and ensure the following does not appear in any sections: @@ -33,7 +33,7 @@ If the \"yum\" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed." - tag "fix": "To ensure signature checking is not disabled for any repos, + desc 'fix', "To ensure signature checking is not disabled for any repos, remove any lines from files in \"/etc/yum.repos.d\" of the form: gpgcheck=0" diff --git a/controls/V-38488.rb b/controls/V-38488.rb index 81e38b3..a62c660 100644 --- a/controls/V-38488.rb +++ b/controls/V-38488.rb @@ -6,7 +6,7 @@ assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000099" tag "gid": "V-38488" tag "rid": "SV-50289r1_rule" @@ -24,11 +24,11 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Ask an administrator if a process exists to back up user data + desc 'check', "Ask an administrator if a process exists to back up user data from the system. If such a process does not exist, this is a finding." - tag "fix": "Procedures to back up user data from the system must be + desc 'fix', "Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available. diff --git a/controls/V-38489.rb b/controls/V-38489.rb index c0d1c19..8f563df 100644 --- a/controls/V-38489.rb +++ b/controls/V-38489.rb @@ -2,7 +2,7 @@ title "A file integrity tool must be installed." desc "The AIDE package must be installed if it is to be available for integrity checking." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000232" tag "gid": "V-38489" tag "rid": "SV-50290r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If another file integrity tool is installed, this is not a + desc 'check', "If another file integrity tool is installed, this is not a finding. Run the following command to determine if the \"aide\" package is installed: @@ -29,7 +29,7 @@ If the package is not installed, this is a finding." - tag "fix": "Install the AIDE package with the command: + desc 'fix', "Install the AIDE package with the command: # yum install aide" diff --git a/controls/V-38490.rb b/controls/V-38490.rb index d336e54..a836d6b 100644 --- a/controls/V-38490.rb +++ b/controls/V-38490.rb @@ -4,7 +4,7 @@ desc "USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000273" tag "gid": "V-38490" tag "rid": "SV-50291r6_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is configured to prevent the loading of the + desc 'check', "If the system is configured to prevent the loading of the \"usb-storage\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as @@ -34,7 +34,7 @@ | grep -v \"#\" If no line is returned, this is a finding." - tag "fix": "To prevent USB storage devices from being used, configure the + desc 'fix', "To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the \"usb-storage\" kernel module from being loaded, add the following line to a file in the directory diff --git a/controls/V-38491.rb b/controls/V-38491.rb index a199933..0b95b85 100644 --- a/controls/V-38491.rb +++ b/controls/V-38491.rb @@ -2,7 +2,7 @@ title "There must be no .rhosts or hosts.equiv files on the system." desc "Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000248" tag "gid": "V-38491" tag "rid": "SV-50292r1_rule" @@ -20,11 +20,11 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The existence of the file \"/etc/hosts.equiv\" or a file named + desc 'check', "The existence of the file \"/etc/hosts.equiv\" or a file named \".rhosts\" inside a user home directory indicates the presence of an Rsh trust relationship. If these files exist, this is a finding." - tag "fix": "The files \"/etc/hosts.equiv\" and \"~/.rhosts\" (in each user's + desc 'fix', "The files \"/etc/hosts.equiv\" and \"~/.rhosts\" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. diff --git a/controls/V-38492.rb b/controls/V-38492.rb index c00b6cd..6605d2c 100644 --- a/controls/V-38492.rb +++ b/controls/V-38492.rb @@ -3,7 +3,7 @@ consoles." desc "Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000109" tag "gid": "V-38492" tag "rid": "SV-50293r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check for virtual console entries which permit root login, + desc 'check', "To check for virtual console entries which permit root login, run the following command: # grep '^vc/[0-9]' /etc/securetty @@ -29,7 +29,7 @@ If any output is returned, then root logins over virtual console devices is permitted. If root login over virtual console devices is permitted, this is a finding." - tag "fix": "To restrict root logins through the (deprecated) virtual console + desc 'fix', "To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in \"/etc/securetty\": vc/1 diff --git a/controls/V-38493.rb b/controls/V-38493.rb index 01df0c0..48e458e 100644 --- a/controls/V-38493.rb +++ b/controls/V-38493.rb @@ -2,7 +2,7 @@ title "Audit log directories must have mode 0755 or less permissive." desc "If users can delete audit logs, audit trails can be modified or destroyed." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000059" tag "gid": "V-38493" tag "rid": "SV-50294r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to check the mode of the system audit + desc 'check', "Run the following command to check the mode of the system audit directories: grep \"^log_file\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode 0755 or less permissive. If any are more permissive, this is a finding." - tag "fix": "Change the mode of the audit log directories with the following + desc 'fix', "Change the mode of the audit log directories with the following command: # chmod go-w [audit_directory]" diff --git a/controls/V-38494.rb b/controls/V-38494.rb index 7bc6c92..a03e81c 100644 --- a/controls/V-38494.rb +++ b/controls/V-38494.rb @@ -3,7 +3,7 @@ consoles." desc "Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000109" tag "gid": "V-38494" tag "rid": "SV-50295r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check for serial port entries which permit root login, run + desc 'check', "To check for serial port entries which permit root login, run the following command: # grep '^ttyS[0-9]' /etc/securetty If any output is returned, then root login over serial ports is permitted. If root login over serial ports is permitted, this is a finding." - tag "fix": "To restrict root logins on serial ports, ensure lines of this + desc 'fix', "To restrict root logins on serial ports, ensure lines of this form do not appear in \"/etc/securetty\": ttyS0 diff --git a/controls/V-38495.rb b/controls/V-38495.rb index c8a1d6e..fb2b2ff 100644 --- a/controls/V-38495.rb +++ b/controls/V-38495.rb @@ -2,7 +2,7 @@ title "Audit log files must be owned by root." desc "If non-privileged users can write to audit logs, audit trails can be modified or destroyed." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000057" tag "gid": "V-38495" tag "rid": "SV-50296r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to check the owner of the system + desc 'check', "Run the following command to check the owner of the system audit logs: grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %U:%n Audit logs must be owned by root. If they are not, this is a finding." - tag "fix": "Change the owner of the audit log files with the following + desc 'fix', "Change the owner of the audit log files with the following command: # chown root [audit_file]" diff --git a/controls/V-38496.rb b/controls/V-38496.rb index b02b714..9c8385f 100644 --- a/controls/V-38496.rb +++ b/controls/V-38496.rb @@ -2,7 +2,7 @@ title "Default operating system accounts, other than root, must be locked." desc "Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38496" tag "rid": "SV-50297r3_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To obtain a listing of all users and the contents of their + desc 'check', "To obtain a listing of all users and the contents of their shadow password field, run the command: $ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow @@ -30,7 +30,7 @@ If any default operating system account (other than root) has a valid password hash, this is a finding." - tag "fix": "Some accounts are not associated with a human user of the system, + desc 'fix', "Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. diff --git a/controls/V-38497.rb b/controls/V-38497.rb index 6a0342c..0cf8198 100644 --- a/controls/V-38497.rb +++ b/controls/V-38497.rb @@ -4,7 +4,7 @@ desc "If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38497" tag "rid": "SV-50298r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that null passwords cannot be used, run the following + desc 'check', "To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -30,7 +30,7 @@ If this produces any output, it may be possible to log into accounts with empty passwords. If NULL passwords can be used, this is a finding." - tag "fix": "If an account is configured for password authentication but does + desc 'fix', "If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons diff --git a/controls/V-38498.rb b/controls/V-38498.rb index 0a96fff..446f634 100644 --- a/controls/V-38498.rb +++ b/controls/V-38498.rb @@ -2,7 +2,7 @@ title "Audit log files must have mode 0640 or less permissive." desc "If users can write to audit logs, audit trails can be modified or destroyed." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000058" tag "gid": "V-38498" tag "rid": "SV-50299r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to check the mode of the system audit + desc 'check', "Run the following command to check the mode of the system audit logs: grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %a:%n Audit logs must be mode 0640 or less permissive. If any are more permissive, this is a finding." - tag "fix": "Change the mode of the audit log files with the following + desc 'fix', "Change the mode of the audit log files with the following command: # chmod 0640 [audit_file]" diff --git a/controls/V-38499.rb b/controls/V-38499.rb index 602c59c..305a6a3 100644 --- a/controls/V-38499.rb +++ b/controls/V-38499.rb @@ -2,7 +2,7 @@ title "The /etc/passwd file must not contain password hashes." desc "The hashes for all user account passwords should be stored in the file \"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38499" tag "rid": "SV-50300r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that no password hashes are stored in \"/etc/passwd\", + desc 'check', "To check that no password hashes are stored in \"/etc/passwd\", run the following command: # awk -F: '($2 != \"x\") {print}' /etc/passwd If it produces any output, then a password hash is stored in \"/etc/passwd\". If any stored hashes are found in /etc/passwd, this is a finding." - tag "fix": "If any password hashes are stored in \"/etc/passwd\" (in the + desc 'fix', "If any password hashes are stored in \"/etc/passwd\" (in the second field, instead of an \"x\"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely." diff --git a/controls/V-38500.rb b/controls/V-38500.rb index c978d1e..6aeae8e 100644 --- a/controls/V-38500.rb +++ b/controls/V-38500.rb @@ -5,7 +5,7 @@ password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38500" tag "rid": "SV-50301r2_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To list all password file entries for accounts with UID 0, run + desc 'check', "To list all password file entries for accounts with UID 0, run the following command: # awk -F: '($3 == 0) {print}' /etc/passwd This should print only one line, for the user root. If any account other than root has a UID of 0, this is a finding." - tag "fix": "If any account other than root has a UID of 0, this + desc 'fix', "If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed." diff --git a/controls/V-38501.rb b/controls/V-38501.rb index b8910db..79ba9ff 100644 --- a/controls/V-38501.rb +++ b/controls/V-38501.rb @@ -3,7 +3,7 @@ a 15-minute interval." desc "Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000249" tag "gid": "V-38501" tag "rid": "SV-50302r4_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the failed password attempt policy is configured + desc 'check', "To ensure the failed password attempt policy is configured correctly, run the following command: $ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -30,7 +30,7 @@ where \"interval-in-seconds\" is 900 (15 minutes) or greater. If the \"fail_interval\" parameter is not set, the default setting of 900 seconds is acceptable. If that is not the case, this is a finding. " - tag "fix": "Utilizing \"pam_faillock.so\", the \"fail_interval\" directive + desc 'fix', "Utilizing \"pam_faillock.so\", the \"fail_interval\" directive configures the system to lock out accounts after a number of incorrect logon attempts. Modify the content of both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows: diff --git a/controls/V-38502.rb b/controls/V-38502.rb index ec53762..0ea13b1 100644 --- a/controls/V-38502.rb +++ b/controls/V-38502.rb @@ -5,7 +5,7 @@ security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38502" tag "rid": "SV-50303r1_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the ownership of \"/etc/shadow\", run the command: + desc 'check', "To check the ownership of \"/etc/shadow\", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following owner: \"root\" If it does not, this is a finding." - tag "fix": "To properly set the owner of \"/etc/shadow\", run the command: + desc 'fix', "To properly set the owner of \"/etc/shadow\", run the command: # chown root /etc/shadow" diff --git a/controls/V-38503.rb b/controls/V-38503.rb index 93dae2e..f6c037e 100644 --- a/controls/V-38503.rb +++ b/controls/V-38503.rb @@ -2,7 +2,7 @@ title "The /etc/shadow file must be group-owned by root." desc "The \"/etc/shadow\" file stores password hashes. Protection of this file is critical for system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38503" tag "rid": "SV-50304r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the group ownership of \"/etc/shadow\", run the + desc 'check', "To check the group ownership of \"/etc/shadow\", run the command: $ ls -l /etc/shadow @@ -28,7 +28,7 @@ If properly configured, the output should indicate the following group-owner. \"root\" If it does not, this is a finding." - tag "fix": "To properly set the group owner of \"/etc/shadow\", run the + desc 'fix', "To properly set the group owner of \"/etc/shadow\", run the command: # chgrp root /etc/shadow" diff --git a/controls/V-38504.rb b/controls/V-38504.rb index 52651ea..e6599c4 100644 --- a/controls/V-38504.rb +++ b/controls/V-38504.rb @@ -5,7 +5,7 @@ security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38504" tag "rid": "SV-50305r1_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the permissions of \"/etc/shadow\", run the command: + desc 'check', "To check the permissions of \"/etc/shadow\", run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: \"----------\" If it does not, this is a finding." - tag "fix": "To properly set the permissions of \"/etc/shadow\", run the + desc 'fix', "To properly set the permissions of \"/etc/shadow\", run the command: # chmod 0000 /etc/shadow" diff --git a/controls/V-38511.rb b/controls/V-38511.rb index 0117090..db6d090 100644 --- a/controls/V-38511.rb +++ b/controls/V-38511.rb @@ -4,7 +4,7 @@ desc "IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38511" tag "rid": "SV-50312r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.ip_forward\" kernel parameter can + desc 'check', "The status of the \"net.ipv4.ip_forward\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward @@ -35,7 +35,7 @@ The ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the \"net.ipv4.ip_forward\" kernel + desc 'fix', "To set the runtime status of the \"net.ipv4.ip_forward\" kernel parameter, run the following command: # sysctl -w net.ipv4.ip_forward=0 diff --git a/controls/V-38512.rb b/controls/V-38512.rb index 0817653..20c20a6 100644 --- a/controls/V-38512.rb +++ b/controls/V-38512.rb @@ -4,7 +4,7 @@ interfaces employing boundary protection devices." desc "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000146" tag "gid": "V-38512" tag "rid": "SV-50313r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is a cross-domain system, this is not applicable. + desc 'check', "If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the \"iptables\" service: @@ -35,7 +35,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"iptables\" service can be enabled with the following + desc 'fix', "The \"iptables\" service can be enabled with the following commands: # chkconfig iptables on diff --git a/controls/V-38513.rb b/controls/V-38513.rb index af736f0..cc7d612 100644 --- a/controls/V-38513.rb +++ b/controls/V-38513.rb @@ -5,7 +5,7 @@ applicable rules in the table are examined for a match. Setting the default policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000231" tag "gid": "V-38513" tag "rid": "SV-50314r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to ensure the default \"INPUT\" + desc 'check', "Run the following command to ensure the default \"INPUT\" policy is \"DROP\": # iptables -nvL | grep -i input @@ -32,7 +32,7 @@ If the default policy for the INPUT chain is not set to DROP, this is a finding." - tag "fix": "To set the default policy to DROP (instead of ACCEPT) for the + desc 'fix', "To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \"/etc/sysconfig/iptables\": diff --git a/controls/V-38514.rb b/controls/V-38514.rb index 337c31f..a1acdd3 100644 --- a/controls/V-38514.rb +++ b/controls/V-38514.rb @@ -3,7 +3,7 @@ unless required." desc "Disabling DCCP protects the system against exploitation of any flaws in its implementation." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38514" tag "rid": "SV-50315r5_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is configured to prevent the loading of the + desc 'check', "If the system is configured to prevent the loading of the \"dccp\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as @@ -33,7 +33,7 @@ -v \"#\" If no line is returned, this is a finding." - tag "fix": "The Datagram Congestion Control Protocol (DCCP) is a relatively + desc 'fix', "The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the \"dccp\" kernel module from being loaded, add the following line to a file in the directory diff --git a/controls/V-38515.rb b/controls/V-38515.rb index 2d297ab..bd2ce19 100644 --- a/controls/V-38515.rb +++ b/controls/V-38515.rb @@ -3,7 +3,7 @@ unless required." desc "Disabling SCTP protects the system against exploitation of any flaws in its implementation." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38515" tag "rid": "SV-50316r5_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is configured to prevent the loading of the + desc 'check', "If the system is configured to prevent the loading of the \"sctp\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as @@ -33,7 +33,7 @@ -v \"#\" If no line is returned, this is a finding." - tag "fix": "The Stream Control Transmission Protocol (SCTP) is a transport + desc 'fix', "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the \"sctp\" kernel module from being loaded, add the following line diff --git a/controls/V-38516.rb b/controls/V-38516.rb index de5c511..3b50b98 100644 --- a/controls/V-38516.rb +++ b/controls/V-38516.rb @@ -3,7 +3,7 @@ required." desc "Disabling RDS protects the system against exploitation of any flaws in its implementation." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38516" tag "rid": "SV-50317r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is configured to prevent the loading of the + desc 'check', "If the system is configured to prevent the loading of the \"rds\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated \"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as @@ -32,7 +32,7 @@ $ grep -r rds /etc/modprobe.conf /etc/modprobe.d If no line is returned, this is a finding." - tag "fix": "The Reliable Datagram Sockets (RDS) protocol is a transport layer + desc 'fix', "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the \"rds\" kernel module from being loaded, add the following line to a file diff --git a/controls/V-38517.rb b/controls/V-38517.rb index 1e33750..5f11cac 100644 --- a/controls/V-38517.rb +++ b/controls/V-38517.rb @@ -3,7 +3,7 @@ disabled unless required." desc "Disabling TIPC protects the system against exploitation of any flaws in its implementation." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38517" tag "rid": "SV-50318r5_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is configured to prevent the loading of the + desc 'check', "If the system is configured to prevent the loading of the \"tipc\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as @@ -33,7 +33,7 @@ -v \"#\" If no line is returned, this is a finding." - tag "fix": "The Transparent Inter-Process Communication (TIPC) protocol is + desc 'fix', "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the \"tipc\" kernel module from being loaded, add the following line to a file in the directory \"/etc/modprobe.d\": diff --git a/controls/V-38518.rb b/controls/V-38518.rb index 146accd..a1ea637 100644 --- a/controls/V-38518.rb +++ b/controls/V-38518.rb @@ -3,7 +3,7 @@ desc "The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000206" tag "gid": "V-38518" tag "rid": "SV-50319r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The owner of all log files written by \"rsyslog\" should be + desc 'check', "The owner of all log files written by \"rsyslog\" should be root. These log files are determined by the second part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". To see the owner of a given log file, run the following command: @@ -32,7 +32,7 @@ and may require exclusion from consideration. If the owner is not root, this is a finding. " - tag "fix": "The owner of all log files written by \"rsyslog\" should be root. + desc 'fix', "The owner of all log files written by \"rsyslog\" should be root. These log files are determined by the second part of each Rule line in \"/etc/rsyslog.conf\" typically all appear in \"/var/log\". For each log file [LOGFILE] referenced in \"/etc/rsyslog.conf\", run the following command to diff --git a/controls/V-38519.rb b/controls/V-38519.rb index 29b619e..2beea13 100644 --- a/controls/V-38519.rb +++ b/controls/V-38519.rb @@ -3,7 +3,7 @@ desc "The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000206" tag "gid": "V-38519" tag "rid": "SV-50320r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The group-owner of all log files written by \"rsyslog\" should + desc 'check', "The group-owner of all log files written by \"rsyslog\" should be root. These log files are determined by the second part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". To see the group-owner of a given log file, run the following command: @@ -32,7 +32,7 @@ and may require exclusion from consideration. If the group-owner is not root, this is a finding." - tag "fix": "The group-owner of all log files written by \"rsyslog\" should be + desc 'fix', "The group-owner of all log files written by \"rsyslog\" should be root. These log files are determined by the second part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". For each log file [LOGFILE] referenced in \"/etc/rsyslog.conf\", run the following command diff --git a/controls/V-38520.rb b/controls/V-38520.rb index 00e0e1d..8677ece 100644 --- a/controls/V-38520.rb +++ b/controls/V-38520.rb @@ -7,7 +7,7 @@ system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000215" tag "gid": "V-38520" tag "rid": "SV-50321r1_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure logs are sent to a remote host, examine the file + desc 'check', "To ensure logs are sent to a remote host, examine the file \"/etc/rsyslog.conf\". If using UDP, a line similar to the following should be present: @@ -41,7 +41,7 @@ If none of these are present, this is a finding." - tag "fix": "To configure rsyslog to send logs to a remote log server, open + desc 'fix', "To configure rsyslog to send logs to a remote log server, open \"/etc/rsyslog.conf\" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its diff --git a/controls/V-38521.rb b/controls/V-38521.rb index a153304..ccab701 100644 --- a/controls/V-38521.rb +++ b/controls/V-38521.rb @@ -7,7 +7,7 @@ system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000043" tag "gid": "V-38521" tag "rid": "SV-50322r1_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure logs are sent to a remote host, examine the file + desc 'check', "To ensure logs are sent to a remote host, examine the file \"/etc/rsyslog.conf\". If using UDP, a line similar to the following should be present: @@ -41,7 +41,7 @@ If none of these are present, this is a finding." - tag "fix": "To configure rsyslog to send logs to a remote log server, open + desc 'fix', "To configure rsyslog to send logs to a remote log server, open \"/etc/rsyslog.conf\" and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its diff --git a/controls/V-38522.rb b/controls/V-38522.rb index d928143..45de917 100644 --- a/controls/V-38522.rb +++ b/controls/V-38522.rb @@ -5,7 +5,7 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000062" tag "gid": "V-38522" tag "rid": "SV-50323r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"settimeofday\" system call, run the following command: $ sudo grep -w \"settimeofday\" /etc/audit/audit.rules @@ -31,7 +31,7 @@ If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. " - tag "fix": "On a 32-bit system, add the following to + desc 'fix', "On a 32-bit system, add the following to \"/etc/audit/audit.rules\": # audit_time_rules diff --git a/controls/V-38523.rb b/controls/V-38523.rb index 780bf43..24be8a5 100644 --- a/controls/V-38523.rb +++ b/controls/V-38523.rb @@ -3,7 +3,7 @@ interface." desc "Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38523" tag "rid": "SV-50324r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.all.accept_source_route\" + desc 'check', "The status of the \"net.ipv4.conf.all.accept_source_route\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route @@ -33,7 +33,7 @@ $ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.all.accept_source_route\" kernel parameter, run the following command: diff --git a/controls/V-38524.rb b/controls/V-38524.rb index 2fcab50..84aed56 100644 --- a/controls/V-38524.rb +++ b/controls/V-38524.rb @@ -2,7 +2,7 @@ title "The system must not accept ICMPv4 redirect packets on any interface." desc "Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38524" tag "rid": "SV-50325r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.all.accept_redirects\" kernel + desc 'check', "The status of the \"net.ipv4.conf.all.accept_redirects\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects @@ -32,7 +32,7 @@ $ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.all.accept_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38525.rb b/controls/V-38525.rb index cb94b5d..07b8c49 100644 --- a/controls/V-38525.rb +++ b/controls/V-38525.rb @@ -5,7 +5,7 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000062" tag "gid": "V-38525" tag "rid": "SV-50326r4_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is 64-bit only, this is not applicable. + desc 'check', "If the system is 64-bit only, this is not applicable. To determine if the system is configured to audit calls to the \"stime\" system call, run the following command: @@ -33,7 +33,7 @@ If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. " - tag "fix": "On a 32-bit system, add the following to + desc 'fix', "On a 32-bit system, add the following to \"/etc/audit/audit.rules\": # audit_time_rules diff --git a/controls/V-38526.rb b/controls/V-38526.rb index fdf49fa..65b1cf0 100644 --- a/controls/V-38526.rb +++ b/controls/V-38526.rb @@ -4,7 +4,7 @@ desc "Accepting \"secure\" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38526" tag "rid": "SV-50327r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.all.secure_redirects\" kernel + desc 'check', "The status of the \"net.ipv4.conf.all.secure_redirects\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects @@ -34,7 +34,7 @@ $ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding." - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.all.secure_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38527.rb b/controls/V-38527.rb index 613f784..2aa3794 100644 --- a/controls/V-38527.rb +++ b/controls/V-38527.rb @@ -5,7 +5,7 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000062" tag "gid": "V-38527" tag "rid": "SV-50328r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"clock_settime\" system call, run the following command: $ sudo grep -w \"clock_settime\" /etc/audit/audit.rules @@ -31,7 +31,7 @@ If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding. " - tag "fix": "On a 32-bit system, add the following to + desc 'fix', "On a 32-bit system, add the following to \"/etc/audit/audit.rules\": # audit_time_rules diff --git a/controls/V-38528.rb b/controls/V-38528.rb index e3613d2..ec42316 100644 --- a/controls/V-38528.rb +++ b/controls/V-38528.rb @@ -4,7 +4,7 @@ as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38528" tag "rid": "SV-50329r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.all.log_martians\" kernel + desc 'check', "The status of the \"net.ipv4.conf.all.log_martians\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians @@ -34,7 +34,7 @@ $ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.all.log_martians\" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.log_martians=1 diff --git a/controls/V-38529.rb b/controls/V-38529.rb index a348790..f00cd8a 100644 --- a/controls/V-38529.rb +++ b/controls/V-38529.rb @@ -2,7 +2,7 @@ title "The system must not accept IPv4 source-routed packets by default." desc "Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38529" tag "rid": "SV-50330r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.default.accept_source_route\" + desc 'check', "The status of the \"net.ipv4.conf.default.accept_source_route\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route @@ -32,7 +32,7 @@ $ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.default.accept_source_route\" kernel parameter, run the following command: diff --git a/controls/V-38530.rb b/controls/V-38530.rb index b20cbc7..9d50c36 100644 --- a/controls/V-38530.rb +++ b/controls/V-38530.rb @@ -5,7 +5,7 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000062" tag "gid": "V-38530" tag "rid": "SV-50331r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit attempts to + desc 'check', "To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: $ sudo grep -w \"/etc/localtime\" /etc/audit/audit.rules @@ -31,7 +31,7 @@ If the system is configured to audit this activity, it will return a line. If the system is not configured to audit time changes, this is a finding." - tag "fix": "Add the following to \"/etc/audit/audit.rules\": + desc 'fix', "Add the following to \"/etc/audit/audit.rules\": -w /etc/localtime -p wa -k audit_time_rules diff --git a/controls/V-38531.rb b/controls/V-38531.rb index 7c17d36..98a9ba2 100644 --- a/controls/V-38531.rb +++ b/controls/V-38531.rb @@ -3,7 +3,7 @@ desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000004" tag "gid": "V-38531" tag "rid": "SV-50332r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit account + desc 'check', "To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w @@ -32,7 +32,7 @@ returned for each file specified (and with \"-p wa\" for each). If the system is not configured to audit account changes, this is a finding." - tag "fix": "Add the following to \"/etc/audit/audit.rules\", in order to + desc 'fix', "Add the following to \"/etc/audit/audit.rules\", in order to capture events that modify account changes: # audit_account_changes diff --git a/controls/V-38532.rb b/controls/V-38532.rb index 4fbf644..8d61083 100644 --- a/controls/V-38532.rb +++ b/controls/V-38532.rb @@ -3,7 +3,7 @@ desc "Accepting \"secure\" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38532" tag "rid": "SV-50333r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.default.secure_redirects\" + desc 'check', "The status of the \"net.ipv4.conf.default.secure_redirects\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects @@ -33,7 +33,7 @@ $ grep net.ipv4.conf.default.secure_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.default.secure_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38533.rb b/controls/V-38533.rb index 3ae0387..c5fc959 100644 --- a/controls/V-38533.rb +++ b/controls/V-38533.rb @@ -2,7 +2,7 @@ title "The system must ignore ICMPv4 redirect messages by default." desc "This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38533" tag "rid": "SV-50334r3_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.default.accept_redirects\" + desc 'check', "The status of the \"net.ipv4.conf.default.accept_redirects\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects @@ -32,7 +32,7 @@ $ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.default.accept_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38534.rb b/controls/V-38534.rb index 58b59a9..841ce97 100644 --- a/controls/V-38534.rb +++ b/controls/V-38534.rb @@ -3,7 +3,7 @@ desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000239" tag "gid": "V-38534" tag "rid": "SV-50335r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit account + desc 'check', "To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w @@ -32,7 +32,7 @@ returned for each file specified (and with \"-p wa\" for each). If the system is not configured to audit account changes, this is a finding." - tag "fix": "Add the following to \"/etc/audit/audit.rules\", in order to + desc 'fix', "Add the following to \"/etc/audit/audit.rules\", in order to capture events that modify account changes: # audit_account_changes diff --git a/controls/V-38535.rb b/controls/V-38535.rb index a399077..337eacd 100644 --- a/controls/V-38535.rb +++ b/controls/V-38535.rb @@ -2,7 +2,7 @@ title "The system must not respond to ICMPv4 sent to a broadcast address." desc "Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38535" tag "rid": "SV-50336r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.icmp_echo_ignore_broadcasts\" + desc 'check', "The status of the \"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts @@ -32,7 +32,7 @@ $ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter, run the following command: diff --git a/controls/V-38536.rb b/controls/V-38536.rb index 6516e3a..510864a 100644 --- a/controls/V-38536.rb +++ b/controls/V-38536.rb @@ -4,7 +4,7 @@ desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000240" tag "gid": "V-38536" tag "rid": "SV-50337r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit account + desc 'check', "To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w @@ -33,7 +33,7 @@ returned for each file specified (and with \"-p wa\" for each). If the system is not configured to audit account changes, this is a finding." - tag "fix": "Add the following to \"/etc/audit/audit.rules\", in order to + desc 'fix', "Add the following to \"/etc/audit/audit.rules\", in order to capture events that modify account changes: # audit_account_changes diff --git a/controls/V-38537.rb b/controls/V-38537.rb index 9ad0dd7..e81b2ac 100644 --- a/controls/V-38537.rb +++ b/controls/V-38537.rb @@ -2,7 +2,7 @@ title "The system must ignore ICMPv4 bogus error responses." desc "Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38537" tag "rid": "SV-50338r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the + desc 'check', "The status of the \"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter can be queried by running the following command: @@ -33,7 +33,7 @@ $ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter, run the following command: diff --git a/controls/V-38538.rb b/controls/V-38538.rb index 377ea70..71f8a41 100644 --- a/controls/V-38538.rb +++ b/controls/V-38538.rb @@ -3,7 +3,7 @@ desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000241" tag "gid": "V-38538" tag "rid": "SV-50339r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit account + desc 'check', "To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w @@ -32,7 +32,7 @@ returned for each file specified (and with \"-p wa\" for each). If the system is not configured to audit account changes, this is a finding." - tag "fix": "Add the following to \"/etc/audit/audit.rules\", in order to + desc 'fix', "Add the following to \"/etc/audit/audit.rules\", in order to capture events that modify account changes: # audit_account_changes diff --git a/controls/V-38539.rb b/controls/V-38539.rb index 3945e8f..39b286f 100644 --- a/controls/V-38539.rb +++ b/controls/V-38539.rb @@ -7,7 +7,7 @@ verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000142" tag "gid": "V-38539" tag "rid": "SV-50340r2_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.tcp_syncookies\" kernel parameter + desc 'check', "The status of the \"net.ipv4.tcp_syncookies\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies @@ -37,7 +37,7 @@ $ grep net.ipv4.tcp_syncookies /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the \"net.ipv4.tcp_syncookies\" + desc 'fix', "To set the runtime status of the \"net.ipv4.tcp_syncookies\" kernel parameter, run the following command: # sysctl -w net.ipv4.tcp_syncookies=1 diff --git a/controls/V-38540.rb b/controls/V-38540.rb index 7b6640c..0890395 100644 --- a/controls/V-38540.rb +++ b/controls/V-38540.rb @@ -3,7 +3,7 @@ systems network configuration." desc "The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38540" tag "rid": "SV-50341r4_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If you are running x86_64 architecture, determine the values + desc 'check', "If you are running x86_64 architecture, determine the values for sethostname: $ uname -m; ausyscall i386 sethostname; ausyscall x86_64 sethostname \t @@ -53,7 +53,7 @@ If the system is not configured to audit changes of the network configuration, this is a finding. " - tag "fix": "Add the following to \"/etc/audit/audit.rules\", setting ARCH to + desc 'fix', "Add the following to \"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate for your system: # audit_network_modifications diff --git a/controls/V-38541.rb b/controls/V-38541.rb index e1a1c80..601e981 100644 --- a/controls/V-38541.rb +++ b/controls/V-38541.rb @@ -4,7 +4,7 @@ desc "The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38541" tag "rid": "SV-50342r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit changes to + desc 'check', "To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: $ sudo grep -w \"/etc/selinux\" /etc/audit/audit.rules @@ -33,7 +33,7 @@ If the system is not configured to audit attempts to change the MAC policy, this is a finding." - tag "fix": "Add the following to \"/etc/audit/audit.rules\": + desc 'fix', "Add the following to \"/etc/audit/audit.rules\": -w /etc/selinux/ -p wa -k MAC-policy" diff --git a/controls/V-38542.rb b/controls/V-38542.rb index 49e338f..a58c930 100644 --- a/controls/V-38542.rb +++ b/controls/V-38542.rb @@ -5,7 +5,7 @@ that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38542" tag "rid": "SV-50343r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.all.rp_filter\" kernel + desc 'check', "The status of the \"net.ipv4.conf.all.rp_filter\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter @@ -35,7 +35,7 @@ $ grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the \"net.ipv4.conf.all.rp_filter\" + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.all.rp_filter\" kernel parameter, run the following command: # sysctl -w net.ipv4.conf.all.rp_filter=1 diff --git a/controls/V-38543.rb b/controls/V-38543.rb index 340cce0..8faa328 100644 --- a/controls/V-38543.rb +++ b/controls/V-38543.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38543" tag "rid": "SV-50344r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"chmod\" system call, run the following command: $ sudo grep -w \"chmod\" /etc/audit/audit.rules @@ -33,7 +33,7 @@ If the system is not configured to audit permission changes, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38544.rb b/controls/V-38544.rb index ee27e70..7d23edc 100644 --- a/controls/V-38544.rb +++ b/controls/V-38544.rb @@ -5,7 +5,7 @@ that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38544" tag "rid": "SV-50345r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.default.rp_filter\" kernel + desc 'check', "The status of the \"net.ipv4.conf.default.rp_filter\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter @@ -35,7 +35,7 @@ $ grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.default.rp_filter\" kernel parameter, run the following command: diff --git a/controls/V-38545.rb b/controls/V-38545.rb index 466e9f9..dbe31db 100644 --- a/controls/V-38545.rb +++ b/controls/V-38545.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38545" tag "rid": "SV-50346r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"chown\" system call, run the following command: $ sudo grep -w \"chown\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38547.rb b/controls/V-38547.rb index bfaf837..2526412 100644 --- a/controls/V-38547.rb +++ b/controls/V-38547.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38547" tag "rid": "SV-50348r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"fchmod\" system call, run the following command: $ sudo grep -w \"fchmod\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38548.rb b/controls/V-38548.rb index 79b3c88..4fe9698 100644 --- a/controls/V-38548.rb +++ b/controls/V-38548.rb @@ -2,7 +2,7 @@ title "The system must ignore ICMPv6 redirects by default." desc "An illicit ICMP redirect message could result in a man-in-the-middle attack." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38548" tag "rid": "SV-50349r3_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If IPv6 is disabled, this is not applicable. + desc 'check', "If IPv6 is disabled, this is not applicable. The status of the \"net.ipv6.conf.default.accept_redirects\" kernel parameter can be queried by running the following command: @@ -34,7 +34,7 @@ $ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv6.conf.default.accept_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38549.rb b/controls/V-38549.rb index 3a3f86d..517c231 100644 --- a/controls/V-38549.rb +++ b/controls/V-38549.rb @@ -2,7 +2,7 @@ title "The system must employ a local IPv6 firewall." desc "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000152" tag "gid": "V-38549" tag "rid": "SV-50350r3_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is a cross-domain system, this is not applicable. + desc 'check', "If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. @@ -35,7 +35,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"ip6tables\" service can be enabled with the following + desc 'fix', "The \"ip6tables\" service can be enabled with the following commands: # chkconfig ip6tables on diff --git a/controls/V-38550.rb b/controls/V-38550.rb index d7ceb73..cb9ba59 100644 --- a/controls/V-38550.rb +++ b/controls/V-38550.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38550" tag "rid": "SV-50351r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"fchmodat\" system call, run the following command: $ sudo grep -w \"fchmodat\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38551.rb b/controls/V-38551.rb index b5f354a..19dc15b 100644 --- a/controls/V-38551.rb +++ b/controls/V-38551.rb @@ -4,7 +4,7 @@ devices arranged in accordance with an organizational security architecture." desc "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000145" tag "gid": "V-38551" tag "rid": "SV-50352r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is a cross-domain system, this is not applicable. + desc 'check', "If the system is a cross-domain system, this is not applicable. If IPV6 is disabled, this is not applicable. @@ -37,7 +37,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"ip6tables\" service can be enabled with the following + desc 'fix', "The \"ip6tables\" service can be enabled with the following commands: # chkconfig ip6tables on diff --git a/controls/V-38552.rb b/controls/V-38552.rb index 36aa483..d2d699e 100644 --- a/controls/V-38552.rb +++ b/controls/V-38552.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38552" tag "rid": "SV-50353r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"fchown\" system call, run the following command: $ sudo grep -w \"fchown\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38553.rb b/controls/V-38553.rb index 8939597..bc02109 100644 --- a/controls/V-38553.rb +++ b/controls/V-38553.rb @@ -4,7 +4,7 @@ interfaces employing boundary protection devices." desc "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000146" tag "gid": "V-38553" tag "rid": "SV-50354r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is a cross-domain system, this is not applicable. + desc 'check', "If the system is a cross-domain system, this is not applicable. If IPv6 is disabled, this is not applicable. @@ -37,7 +37,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"ip6tables\" service can be enabled with the following + desc 'fix', "The \"ip6tables\" service can be enabled with the following commands: # chkconfig ip6tables on diff --git a/controls/V-38554.rb b/controls/V-38554.rb index e7eaa5a..46f3fb3 100644 --- a/controls/V-38554.rb +++ b/controls/V-38554.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38554" tag "rid": "SV-50355r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"fchownat\" system call, run the following command: $ sudo grep -w \"fchownat\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38555.rb b/controls/V-38555.rb index 728c027..07edec8 100644 --- a/controls/V-38555.rb +++ b/controls/V-38555.rb @@ -2,7 +2,7 @@ title "The system must employ a local IPv4 firewall." desc "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000152" tag "gid": "V-38555" tag "rid": "SV-50356r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is a cross-domain system, this is not applicable. + desc 'check', "If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the \"iptables\" service: @@ -33,7 +33,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"iptables\" service can be enabled with the following + desc 'fix', "The \"iptables\" service can be enabled with the following commands: # chkconfig iptables on diff --git a/controls/V-38556.rb b/controls/V-38556.rb index 07d5685..da3840b 100644 --- a/controls/V-38556.rb +++ b/controls/V-38556.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38556" tag "rid": "SV-50357r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"fremovexattr\" system call, run the following command: $ sudo grep -w \"fremovexattr\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38557.rb b/controls/V-38557.rb index 6deac2e..5d063f5 100644 --- a/controls/V-38557.rb +++ b/controls/V-38557.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38557" tag "rid": "SV-50358r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"fsetxattr\" system call, run the following command: $ sudo grep -w \"fsetxattr\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38558.rb b/controls/V-38558.rb index 6596b3d..7f108c4 100644 --- a/controls/V-38558.rb +++ b/controls/V-38558.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38558" tag "rid": "SV-50359r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"lchown\" system call, run the following command: $ sudo grep -w \"lchown\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38559.rb b/controls/V-38559.rb index 8fe9368..ad1e8c9 100644 --- a/controls/V-38559.rb +++ b/controls/V-38559.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38559" tag "rid": "SV-50360r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"lremovexattr\" system call, run the following command: $ sudo grep -w \"lremovexattr\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38560.rb b/controls/V-38560.rb index c7d49d1..2adf55c 100644 --- a/controls/V-38560.rb +++ b/controls/V-38560.rb @@ -4,7 +4,7 @@ devices arranged in accordance with an organizational security architecture." desc "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000145" tag "gid": "V-38560" tag "rid": "SV-50361r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is a cross-domain system, this is not applicable. + desc 'check', "If the system is a cross-domain system, this is not applicable. Run the following command to determine the current status of the \"iptables\" service: @@ -35,7 +35,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"iptables\" service can be enabled with the following + desc 'fix', "The \"iptables\" service can be enabled with the following commands: # chkconfig iptables on diff --git a/controls/V-38561.rb b/controls/V-38561.rb index d8f6b9a..ea62bc9 100644 --- a/controls/V-38561.rb +++ b/controls/V-38561.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38561" tag "rid": "SV-50362r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"lsetxattr\" system call, run the following command: $ sudo grep -w \"lsetxattr\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38563.rb b/controls/V-38563.rb index 4ddf52f..7c595e7 100644 --- a/controls/V-38563.rb +++ b/controls/V-38563.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38563" tag "rid": "SV-50364r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"removexattr\" system call, run the following command: $ sudo grep -w \"removexattr\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding." - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38565.rb b/controls/V-38565.rb index fc22019..c4a4893 100644 --- a/controls/V-38565.rb +++ b/controls/V-38565.rb @@ -5,7 +5,7 @@ attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38565" tag "rid": "SV-50366r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"setxattr\" system call, run the following command: $ sudo grep -w \"setxattr\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file permission + desc 'fix', "At a minimum, the audit system should collect file permission changes for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38566.rb b/controls/V-38566.rb index 4cb05b5..ebad090 100644 --- a/controls/V-38566.rb +++ b/controls/V-38566.rb @@ -4,7 +4,7 @@ desc "Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38566" tag "rid": "SV-50367r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that the audit system collects unauthorized file + desc 'check', "To verify that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules @@ -33,7 +33,7 @@ If either command lacks output, this is a finding." - tag "fix": "At a minimum, the audit system should collect unauthorized file + desc 'fix', "At a minimum, the audit system should collect unauthorized file accesses for all users and root. Add the following to \"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate for your system: diff --git a/controls/V-38567.rb b/controls/V-38567.rb index 0152421..0ddb5d3 100644 --- a/controls/V-38567.rb +++ b/controls/V-38567.rb @@ -5,7 +5,7 @@ which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000020" tag "gid": "V-38567" tag "rid": "SV-50368r4_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that auditing of privileged command use is + desc 'check', "To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs: @@ -36,7 +36,7 @@ It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding. " - tag "fix": "At a minimum, the audit system should collect the execution of + desc 'fix', "At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]: diff --git a/controls/V-38568.rb b/controls/V-38568.rb index 569e2ec..715c376 100644 --- a/controls/V-38568.rb +++ b/controls/V-38568.rb @@ -5,7 +5,7 @@ an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38568" tag "rid": "SV-50369r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that auditing is configured for all media exportation + desc 'check', "To verify that auditing is configured for all media exportation events, run the following command: $ sudo grep -w \"mount\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ lines. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect media exportation + desc 'fix', "At a minimum, the audit system should collect media exportation events for all users and root. Add the following to \"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate for your system: diff --git a/controls/V-38569.rb b/controls/V-38569.rb index 13f59b7..a0bc9ef 100644 --- a/controls/V-38569.rb +++ b/controls/V-38569.rb @@ -3,7 +3,7 @@ alphabetic character." desc "Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000069" tag "gid": "V-38569" tag "rid": "SV-50370r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check how many uppercase characters are required in a + desc 'check', "To check how many uppercase characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -31,7 +31,7 @@ character in a password. This would appear as \"ucredit=-1\". If \"ucredit\" is not found or not set to the required value, this is a finding." - tag "fix": "The pam_cracklib module's \"ucredit=\" parameter controls + desc 'fix', "The pam_cracklib module's \"ucredit=\" parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 diff --git a/controls/V-38570.rb b/controls/V-38570.rb index dd0125c..dba3b15 100644 --- a/controls/V-38570.rb +++ b/controls/V-38570.rb @@ -3,7 +3,7 @@ character." desc "Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000266" tag "gid": "V-38570" tag "rid": "SV-50371r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check how many special characters are required in a + desc 'check', "To check how many special characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -31,7 +31,7 @@ character in a password. This would appear as \"ocredit=-1\". If \"ocredit\" is not found or not set to the required value, this is a finding." - tag "fix": "The pam_cracklib module's \"ocredit=\" parameter controls + desc 'fix', "The pam_cracklib module's \"ocredit=\" parameter controls requirements for usage of special (or \"other\") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 diff --git a/controls/V-38571.rb b/controls/V-38571.rb index c8a3007..3d2f534 100644 --- a/controls/V-38571.rb +++ b/controls/V-38571.rb @@ -3,7 +3,7 @@ alphabetic character." desc "Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000070" tag "gid": "V-38571" tag "rid": "SV-50372r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check how many lower-case characters are required in a + desc 'check', "To check how many lower-case characters are required in a password, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -31,7 +31,7 @@ character in a password. This would appear as \"lcredit=-1\". If \"lcredit\" is not found or not set to the required value, this is a finding." - tag "fix": "The pam_cracklib module's \"lcredit=\" parameter controls + desc 'fix', "The pam_cracklib module's \"lcredit=\" parameter controls requirements for usage of lower-case letters in a password. When set to a negative number, any password will be required to contain that many lower-case characters. diff --git a/controls/V-38572.rb b/controls/V-38572.rb index b4c6bf1..52b0a12 100644 --- a/controls/V-38572.rb +++ b/controls/V-38572.rb @@ -5,7 +5,7 @@ changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000072" tag "gid": "V-38572" tag "rid": "SV-50373r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check how many characters must differ during a password + desc 'check', "To check how many characters must differ during a password change, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -33,7 +33,7 @@ appear as \"difok=8\". If \"difok\" is not found or is set to a value less than \"8\", this is a finding." - tag "fix": "The pam_cracklib module's \"difok\" parameter controls + desc 'fix', "The pam_cracklib module's \"difok\" parameter controls requirements for usage of different characters during a password change. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding \"difok=[NUM]\" diff --git a/controls/V-38573.rb b/controls/V-38573.rb index 694ddbb..691bc35 100644 --- a/controls/V-38573.rb +++ b/controls/V-38573.rb @@ -3,7 +3,7 @@ logon attempts." desc "Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000021" tag "gid": "V-38573" tag "rid": "SV-50374r4_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the failed password attempt policy is configured + desc 'check', "To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth The output should show \"deny=3\" for both files. If that is not the case, this is a finding." - tag "fix": "To configure the system to lock out accounts after a number of + desc 'fix', "To configure the system to lock out accounts after a number of incorrect logon attempts using \"pam_faillock.so\", modify the content of both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows: diff --git a/controls/V-38574.rb b/controls/V-38574.rb index 49ad37d..5e0085b 100644 --- a/controls/V-38574.rb +++ b/controls/V-38574.rb @@ -3,7 +3,7 @@ algorithm for generating account password hashes (system-auth)." desc "Using a stronger hashing algorithm makes password cracking attacks more difficult." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000120" tag "gid": "V-38574" tag "rid": "SV-50375r4_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect the \"password\" section of \"/etc/pam.d/system-auth\", + desc 'check', "Inspect the \"password\" section of \"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\", \"/etc/pam.d/password-auth\", \"/etc/pam.d/password-auth-ac\" and other files in \"/etc/pam.d\" to identify the number of occurrences where the \"pam_unix.so\" module is used in the @@ -72,7 +72,7 @@ If any of the identified \"pam_unix.so\" modules do not use the \"sha512\" variable, this is a finding. " - tag "fix": "In \"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\", + desc 'fix', "In \"/etc/pam.d/system-auth\", \"/etc/pam.d/system-auth-ac\", \"/etc/pam.d/password-auth\", and \"/etc/pam.d/password-auth-ac\", among potentially other files, the \"password\" section of the files controls which PAM modules execute during a password change. Set the \"pam_unix.so\" module in diff --git a/controls/V-38575.rb b/controls/V-38575.rb index 5e29d8e..e5934a5 100644 --- a/controls/V-38575.rb +++ b/controls/V-38575.rb @@ -5,7 +5,7 @@ removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38575" tag "rid": "SV-50376r4_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"rmdir\" system call, run the following command: $ sudo grep -w \"rmdir\" /etc/audit/audit.rules @@ -55,7 +55,7 @@ If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding. " - tag "fix": "At a minimum, the audit system should collect file deletion + desc 'fix', "At a minimum, the audit system should collect file deletion events for all users and root. Add the following (or equivalent) to \"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate for your system: diff --git a/controls/V-38576.rb b/controls/V-38576.rb index 133dd1a..eeba8f5 100644 --- a/controls/V-38576.rb +++ b/controls/V-38576.rb @@ -3,7 +3,7 @@ algorithm for generating account password hashes (login.defs)." desc "Using a stronger hashing algorithm makes password cracking attacks more difficult." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000120" tag "gid": "V-38576" tag "rid": "SV-50377r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/login.defs\" and ensure the following line + desc 'check', "Inspect \"/etc/login.defs\" and ensure the following line appears: ENCRYPT_METHOD SHA512 If it does not, this is a finding." - tag "fix": "In \"/etc/login.defs\", add or correct the following line to + desc 'fix', "In \"/etc/login.defs\", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: ENCRYPT_METHOD SHA512" diff --git a/controls/V-38577.rb b/controls/V-38577.rb index 75c3d03..0346489 100644 --- a/controls/V-38577.rb +++ b/controls/V-38577.rb @@ -3,7 +3,7 @@ algorithm for generating account password hashes (libuser.conf)." desc "Using a stronger hashing algorithm makes password cracking attacks more difficult." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000120" tag "gid": "V-38577" tag "rid": "SV-50378r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/libuser.conf\" and ensure the following line + desc 'check', "Inspect \"/etc/libuser.conf\" and ensure the following line appears in the \"[default]\" section: crypt_style = sha512 If it does not, this is a finding." - tag "fix": "In \"/etc/libuser.conf\", add or correct the following line in + desc 'fix', "In \"/etc/libuser.conf\", add or correct the following line in its \"[defaults]\" section to ensure the system will use the SHA-512 algorithm for password hashing: diff --git a/controls/V-38578.rb b/controls/V-38578.rb index f2d5783..86562a6 100644 --- a/controls/V-38578.rb +++ b/controls/V-38578.rb @@ -4,7 +4,7 @@ desc "The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38578" tag "rid": "SV-50379r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that auditing is configured for system administrator + desc 'check', "To verify that auditing is configured for system administrator actions, run the following command: $ sudo grep -w \"/etc/sudoers\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ watched). If there is no output, this is a finding." - tag "fix": "At a minimum, the audit system should collect administrator + desc 'fix', "At a minimum, the audit system should collect administrator actions for all users and root. Add the following to \"/etc/audit/audit.rules\": diff --git a/controls/V-38579.rb b/controls/V-38579.rb index b0ef173..6501155 100644 --- a/controls/V-38579.rb +++ b/controls/V-38579.rb @@ -1,7 +1,7 @@ control "V-38579" do title "The system boot loader configuration file(s) must be owned by root." desc "Only root should be able to modify important boot parameters." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38579" tag "rid": "SV-50380r2_rule" @@ -19,14 +19,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the ownership of \"/boot/grub/grub.conf\", run the + desc 'check', "To check the ownership of \"/boot/grub/grub.conf\", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate that the owner is \"root\". If it does not, this is a finding." - tag "fix": "The file \"/boot/grub/grub.conf\" should be owned by the \"root\" + desc 'fix', "The file \"/boot/grub/grub.conf\" should be owned by the \"root\" user to prevent destruction or modification of the file. To properly set the owner of \"/boot/grub/grub.conf\", run the command: diff --git a/controls/V-38580.rb b/controls/V-38580.rb index 40eaa7a..99bee7d 100644 --- a/controls/V-38580.rb +++ b/controls/V-38580.rb @@ -5,7 +5,7 @@ behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000064" tag "gid": "V-38580" tag "rid": "SV-50381r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit execution of + desc 'check', "To determine if the system is configured to audit execution of module management programs, run the following commands: $ sudo egrep -e \"(-w |-F path=)/sbin/insmod\" /etc/audit/audit.rules @@ -47,7 +47,7 @@ module management programs, run the following commands: If the system is configured to audit this activity, it will return a line. If no line is returned for any of these commands, this is a finding. " - tag "fix": "Add the following to \"/etc/audit/audit.rules\" in order to + desc 'fix', "Add the following to \"/etc/audit/audit.rules\" in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: diff --git a/controls/V-38581.rb b/controls/V-38581.rb index 688cc2a..0661ba0 100644 --- a/controls/V-38581.rb +++ b/controls/V-38581.rb @@ -3,7 +3,7 @@ root." desc "The \"root\" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38581" tag "rid": "SV-50382r2_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the group ownership of \"/boot/grub/grub.conf\", run + desc 'check', "To check the group ownership of \"/boot/grub/grub.conf\", run the command: $ ls -lL /boot/grub/grub.conf If properly configured, the output should indicate the group-owner is \"root\". If it does not, this is a finding." - tag "fix": "The file \"/boot/grub/grub.conf\" should be group-owned by the + desc 'fix', "The file \"/boot/grub/grub.conf\" should be group-owned by the \"root\" group to prevent destruction or modification of the file. To properly set the group owner of \"/boot/grub/grub.conf\", run the command: diff --git a/controls/V-38582.rb b/controls/V-38582.rb index f2e8001..6b8cb79 100644 --- a/controls/V-38582.rb +++ b/controls/V-38582.rb @@ -5,7 +5,7 @@ programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38582" tag "rid": "SV-50383r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If network services are using the xinetd service, this is not + desc 'check', "If network services are using the xinetd service, this is not applicable. To check that the \"xinetd\" service is disabled in system boot configuration, @@ -48,7 +48,7 @@ If the service is running, this is a finding." - tag "fix": "The \"xinetd\" service can be disabled with the following + desc 'fix', "The \"xinetd\" service can be disabled with the following commands: # chkconfig xinetd off diff --git a/controls/V-38583.rb b/controls/V-38583.rb index 64af685..87135c9 100644 --- a/controls/V-38583.rb +++ b/controls/V-38583.rb @@ -3,7 +3,7 @@ less permissive." desc "Proper permissions ensure that only the root user can modify important boot parameters." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38583" tag "rid": "SV-50384r4_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the permissions of \"/boot/grub/grub.conf\", run the + desc 'check', "To check the permissions of \"/boot/grub/grub.conf\", run the command: $ sudo ls -lL /boot/grub/grub.conf @@ -35,7 +35,7 @@ \"-rw-------\" If it does not, this is a finding." - tag "fix": "File permissions for \"/boot/grub/grub.conf\" and + desc 'fix', "File permissions for \"/boot/grub/grub.conf\" and \"/boot/efi/EFI/redhat/grub.conf\" should be set to 600, which is the default. To properly set the permissions of \"/boot/grub/grub.conf\", run the command: diff --git a/controls/V-38584.rb b/controls/V-38584.rb index e24640e..47c3db6 100644 --- a/controls/V-38584.rb +++ b/controls/V-38584.rb @@ -3,7 +3,7 @@ utilizing it are enabled." desc "Removing the \"xinetd\" package decreases the risk of the xinetd service's accidental (or intentional) activation." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38584" tag "rid": "SV-50385r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If network services are using the xinetd service, this is not + desc 'check', "If network services are using the xinetd service, this is not applicable. Run the following command to determine if the \"xinetd\" package is installed: @@ -30,7 +30,7 @@ If the package is installed, this is a finding." - tag "fix": "The \"xinetd\" package can be uninstalled with the following + desc 'fix', "The \"xinetd\" package can be uninstalled with the following command: # yum erase xinetd" diff --git a/controls/V-38585.rb b/controls/V-38585.rb index e73f711..05247ff 100644 --- a/controls/V-38585.rb +++ b/controls/V-38585.rb @@ -3,7 +3,7 @@ desc "Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000080" tag "gid": "V-38585" tag "rid": "SV-50386r4_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the boot loader password has been set and encrypted, + desc 'check', "To verify the boot loader password has been set and encrypted, run the following command: # grep password /boot/grub/grub.conf @@ -36,7 +36,7 @@ encrypted: # grep password /boot/efi/EFI/redhat/grub.conf" - tag "fix": "The grub boot loader should have password protection enabled to + desc 'fix', "The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: diff --git a/controls/V-38586.rb b/controls/V-38586.rb index c7d400b..8f0e4fc 100644 --- a/controls/V-38586.rb +++ b/controls/V-38586.rb @@ -4,7 +4,7 @@ desc "This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000080" tag "gid": "V-38586" tag "rid": "SV-50387r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check if authentication is required for single-user mode, + desc 'check', "To check if authentication is required for single-user mode, run the following command: $ grep SINGLE /etc/sysconfig/init @@ -33,7 +33,7 @@ If the output is different, this is a finding." - tag "fix": "Single-user mode is intended as a system recovery method, + desc 'fix', "Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. diff --git a/controls/V-38587.rb b/controls/V-38587.rb index f77c7d3..5d0f520 100644 --- a/controls/V-38587.rb +++ b/controls/V-38587.rb @@ -7,7 +7,7 @@ encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated. " - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000095" tag "gid": "V-38587" tag "rid": "SV-50388r1_rule" @@ -25,14 +25,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if the \"telnet-server\" + desc 'check', "Run the following command to determine if the \"telnet-server\" package is installed: # rpm -q telnet-server If the package is installed, this is a finding." - tag "fix": "The \"telnet-server\" package can be uninstalled with the + desc 'fix', "The \"telnet-server\" package can be uninstalled with the following command: # yum erase telnet-server" diff --git a/controls/V-38588.rb b/controls/V-38588.rb index 39ab6c2..1428326 100644 --- a/controls/V-38588.rb +++ b/controls/V-38588.rb @@ -2,7 +2,7 @@ title "The system must not permit interactive boot." desc "Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000080" tag "gid": "V-38588" tag "rid": "SV-50389r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check whether interactive boot is disabled, run the + desc 'check', "To check whether interactive boot is disabled, run the following command: $ grep PROMPT /etc/sysconfig/init @@ -31,7 +31,7 @@ If it does not, this is a finding." - tag "fix": "To disable the ability for users to perform interactive startups, + desc 'fix', "To disable the ability for users to perform interactive startups, edit the file \"/etc/sysconfig/init\". Add or correct the line: PROMPT=no diff --git a/controls/V-38589.rb b/controls/V-38589.rb index cb192b8..9e8f5ae 100644 --- a/controls/V-38589.rb +++ b/controls/V-38589.rb @@ -9,7 +9,7 @@ encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated. " - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000129" tag "gid": "V-38589" tag "rid": "SV-50390r2_rule" @@ -27,7 +27,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"telnet\" service is disabled in system boot + desc 'check', "To check that the \"telnet\" service is disabled in system boot configuration, run the following command: # chkconfig \"telnet\" --list @@ -42,7 +42,7 @@ If the service is running, this is a finding." - tag "fix": "The \"telnet\" service can be disabled with the following + desc 'fix', "The \"telnet\" service can be disabled with the following command: # chkconfig telnet off" diff --git a/controls/V-38590.rb b/controls/V-38590.rb index 5387fdb..5decb20 100644 --- a/controls/V-38590.rb +++ b/controls/V-38590.rb @@ -2,7 +2,7 @@ title "The system must allow locking of the console screen in text mode." desc "Installing \"screen\" ensures a console locking capability is available for users who may need to suspend console logins." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000030" tag "gid": "V-38590" tag "rid": "SV-50391r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if the \"screen\" + desc 'check', "Run the following command to determine if the \"screen\" package is installed: # rpm -q screen If the package is not installed, this is a finding." - tag "fix": "To enable console screen locking when in text mode, install the + desc 'fix', "To enable console screen locking when in text mode, install the \"screen\" package: # yum install screen diff --git a/controls/V-38591.rb b/controls/V-38591.rb index b0ef6b9..baca591 100644 --- a/controls/V-38591.rb +++ b/controls/V-38591.rb @@ -3,7 +3,7 @@ desc "The \"rsh-server\" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000095" tag "gid": "V-38591" tag "rid": "SV-50392r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if the \"rsh-server\" + desc 'check', "Run the following command to determine if the \"rsh-server\" package is installed: # rpm -q rsh-server If the package is installed, this is a finding." - tag "fix": "The \"rsh-server\" package can be uninstalled with the following + desc 'fix', "The \"rsh-server\" package can be uninstalled with the following command: # yum erase rsh-server" diff --git a/controls/V-38592.rb b/controls/V-38592.rb index 67cf4a8..32ce49a 100644 --- a/controls/V-38592.rb +++ b/controls/V-38592.rb @@ -5,7 +5,7 @@ prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000022" tag "gid": "V-38592" tag "rid": "SV-50393r4_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the failed password attempt policy is configured + desc 'check', "To ensure the failed password attempt policy is configured correctly, run the following command: # grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -31,7 +31,7 @@ The output should show \"unlock_time=\"; the largest acceptable value is 604800 seconds (one week). If that is not the case, this is a finding." - tag "fix": "To configure the system to lock out accounts after a number of + desc 'fix', "To configure the system to lock out accounts after a number of incorrect logon attempts and require an administrator to unlock the account using \"pam_faillock.so\", modify the content of both \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" as follows: diff --git a/controls/V-38593.rb b/controls/V-38593.rb index e2d9c53..f383423 100644 --- a/controls/V-38593.rb +++ b/controls/V-38593.rb @@ -3,7 +3,7 @@ immediately prior to, or as part of, console login prompts." desc "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000228" tag "gid": "V-38593" tag "rid": "SV-50394r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check if the system login banner is compliant, run the + desc 'check', "To check if the system login banner is compliant, run the following command: $ cat /etc/issue @@ -34,7 +34,7 @@ If the required DoD logon banner is not displayed, this is a finding. " - tag "fix": "To configure the system login banner: + desc 'fix', "To configure the system login banner: Edit \"/etc/issue\". Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: diff --git a/controls/V-38594.rb b/controls/V-38594.rb index 2068f25..8f310bd 100644 --- a/controls/V-38594.rb +++ b/controls/V-38594.rb @@ -3,7 +3,7 @@ desc "The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000033" tag "gid": "V-38594" tag "rid": "SV-50395r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"rsh\" service is disabled in system boot + desc 'check', "To check that the \"rsh\" service is disabled in system boot configuration, run the following command: # chkconfig \"rsh\" --list @@ -36,7 +36,7 @@ If the service is running, this is a finding." - tag "fix": "The \"rsh\" service, which is available with the \"rsh-server\" + desc 'fix', "The \"rsh\" service, which is available with the \"rsh-server\" package and runs as a service through xinetd, should be disabled. The \"rsh\" service can be disabled with the following command: diff --git a/controls/V-38595.rb b/controls/V-38595.rb index 13d16ed..874a679 100644 --- a/controls/V-38595.rb +++ b/controls/V-38595.rb @@ -4,7 +4,7 @@ desc "Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000105" tag "gid": "V-38595" tag "rid": "SV-50396r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Interview the SA to determine if all accounts not exempted by + desc 'check', "Interview the SA to determine if all accounts not exempted by policy are using CAC authentication. For DoD systems, the following systems and accounts are exempt from using smart card (CAC) authentication: @@ -39,7 +39,7 @@ If non-exempt accounts are not using CAC authentication, this is a finding." - tag "fix": "To enable smart card authentication, consult the documentation at: + desc 'fix', "To enable smart card authentication, consult the documentation at: https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html diff --git a/controls/V-38596.rb b/controls/V-38596.rb index d65bdfa..5d00d52 100644 --- a/controls/V-38596.rb +++ b/controls/V-38596.rb @@ -6,7 +6,7 @@ ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38596" tag "rid": "SV-50397r2_rule" @@ -24,7 +24,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"kernel.randomize_va_space\" kernel + desc 'check', "The status of the \"kernel.randomize_va_space\" kernel parameter can be queried by running the following commands: $ sysctl kernel.randomize_va_space @@ -35,7 +35,7 @@ been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\". If the correct value is not returned, this is a finding." - tag "fix": "To set the runtime status of the \"kernel.randomize_va_space\" + desc 'fix', "To set the runtime status of the \"kernel.randomize_va_space\" kernel parameter, run the following command: # sysctl -w kernel.randomize_va_space=2 diff --git a/controls/V-38597.rb b/controls/V-38597.rb index 7d550ec..3b8b2b2 100644 --- a/controls/V-38597.rb +++ b/controls/V-38597.rb @@ -7,7 +7,7 @@ a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38597" tag "rid": "SV-50398r2_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"kernel.exec-shield\" kernel parameter can + desc 'check', "The status of the \"kernel.exec-shield\" kernel parameter can be queried by running the following command: $ sysctl kernel.exec-shield @@ -35,7 +35,7 @@ not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\". If the correct value is not returned, this is a finding." - tag "fix": "To set the runtime status of the \"kernel.exec-shield\" kernel + desc 'fix', "To set the runtime status of the \"kernel.exec-shield\" kernel parameter, run the following command: # sysctl -w kernel.exec-shield=1 diff --git a/controls/V-38598.rb b/controls/V-38598.rb index f61025b..7b3d06b 100644 --- a/controls/V-38598.rb +++ b/controls/V-38598.rb @@ -3,7 +3,7 @@ desc "The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000033" tag "gid": "V-38598" tag "rid": "SV-50399r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"rexec\" service is disabled in system boot + desc 'check', "To check that the \"rexec\" service is disabled in system boot configuration, run the following command: # chkconfig \"rexec\" --list @@ -36,7 +36,7 @@ If the service is running, this is a finding." - tag "fix": "The \"rexec\" service, which is available with the \"rsh-server\" + desc 'fix', "The \"rexec\" service, which is available with the \"rsh-server\" package and runs as a service through xinetd, should be disabled. The \"rexec\" service can be disabled with the following command: diff --git a/controls/V-38599.rb b/controls/V-38599.rb index f0b98e5..c37d4c8 100644 --- a/controls/V-38599.rb +++ b/controls/V-38599.rb @@ -3,7 +3,7 @@ Department of Defense (DoD) login banner." desc "This setting will cause the system greeting banner to be used for FTP connections as well." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000023" tag "gid": "V-38599" tag "rid": "SV-50400r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify this configuration, run the following command: + desc 'check', "To verify this configuration, run the following command: grep \"banner_file\" /etc/vsftpd/vsftpd.conf @@ -33,7 +33,7 @@ If it does not, this is a finding." - tag "fix": "Edit the vsftpd configuration file, which resides at + desc 'fix', "Edit the vsftpd configuration file, which resides at \"/etc/vsftpd/vsftpd.conf\" by default. Add or correct the following configuration options. @@ -51,7 +51,7 @@ its('banner_file') { should eq '/etc/issue' } end else - impact 0.0 + impact 'none' describe "Package vsftpd not installed" do skip "Package vsftpd not installed, this control Not Applicable" end diff --git a/controls/V-38600.rb b/controls/V-38600.rb index 0c5f50d..0d8c3ca 100644 --- a/controls/V-38600.rb +++ b/controls/V-38600.rb @@ -3,7 +3,7 @@ desc "Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38600" tag "rid": "SV-50401r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.default.send_redirects\" + desc 'check', "The status of the \"net.ipv4.conf.default.send_redirects\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects @@ -33,7 +33,7 @@ $ grep net.ipv4.conf.default.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.default.send_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38601.rb b/controls/V-38601.rb index d23095d..6aa45c8 100644 --- a/controls/V-38601.rb +++ b/controls/V-38601.rb @@ -3,7 +3,7 @@ desc "Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38601" tag "rid": "SV-50402r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The status of the \"net.ipv4.conf.all.send_redirects\" kernel + desc 'check', "The status of the \"net.ipv4.conf.all.send_redirects\" kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects @@ -33,7 +33,7 @@ $ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf If the correct value is not returned, this is a finding. " - tag "fix": "To set the runtime status of the + desc 'fix', "To set the runtime status of the \"net.ipv4.conf.all.send_redirects\" kernel parameter, run the following command: diff --git a/controls/V-38602.rb b/controls/V-38602.rb index 0d9b925..3fe5062 100644 --- a/controls/V-38602.rb +++ b/controls/V-38602.rb @@ -4,7 +4,7 @@ means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000248" tag "gid": "V-38602" tag "rid": "SV-50403r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": " + desc 'check', " To check that the \"rlogin\" service is disabled in system boot configuration, run the following command: @@ -38,7 +38,7 @@ If the service is running, this is a finding." - tag "fix": "The \"rlogin\" service, which is available with the + desc 'fix', "The \"rlogin\" service, which is available with the \"rsh-server\" package and runs as a service through xinetd, should be disabled. The \"rlogin\" service can be disabled with the following command: diff --git a/controls/V-38603.rb b/controls/V-38603.rb index 382ef31..e03280f 100644 --- a/controls/V-38603.rb +++ b/controls/V-38603.rb @@ -2,7 +2,7 @@ title "The ypserv package must not be installed." desc "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000095" tag "gid": "V-38603" tag "rid": "SV-50404r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if the \"ypserv\" + desc 'check', "Run the following command to determine if the \"ypserv\" package is installed: # rpm -q ypserv If the package is installed, this is a finding." - tag "fix": "The \"ypserv\" package can be uninstalled with the following + desc 'fix', "The \"ypserv\" package can be uninstalled with the following command: # yum erase ypserv" diff --git a/controls/V-38604.rb b/controls/V-38604.rb index 357a4c8..b136e98 100644 --- a/controls/V-38604.rb +++ b/controls/V-38604.rb @@ -2,7 +2,7 @@ title "The ypbind service must not be running." desc "Disabling the \"ypbind\" service ensures the system is not acting as a client in a NIS or NIS+ domain." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38604" tag "rid": "SV-50405r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"ypbind\" service is disabled in system boot + desc 'check', "To check that the \"ypbind\" service is disabled in system boot configuration, run the following command: # chkconfig \"ypbind\" --list @@ -42,7 +42,7 @@ If the service is running, this is a finding." - tag "fix": "The \"ypbind\" service, which allows the system to act as a + desc 'fix', "The \"ypbind\" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The \"ypbind\" service can be disabled with the following commands: diff --git a/controls/V-38605.rb b/controls/V-38605.rb index 95b3232..3fd0dea 100644 --- a/controls/V-38605.rb +++ b/controls/V-38605.rb @@ -2,7 +2,7 @@ title "The cron service must be running." desc "Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38605" tag "rid": "SV-50406r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine the current status of + desc 'check', "Run the following command to determine the current status of the \"crond\" service: # service crond status @@ -31,7 +31,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"crond\" service is used to execute commands at + desc 'fix', "The \"crond\" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The \"crond\" service can be enabled with the following commands: diff --git a/controls/V-38606.rb b/controls/V-38606.rb index 567263d..e0778eb 100644 --- a/controls/V-38606.rb +++ b/controls/V-38606.rb @@ -2,7 +2,7 @@ title "The tftp-server package must not be installed unless required." desc "Removing the \"tftp-server\" package decreases the risk of the accidental (or intentional) activation of tftp services." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000095" tag "gid": "V-38606" tag "rid": "SV-50407r2_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if the \"tftp-server\" + desc 'check', "Run the following command to determine if the \"tftp-server\" package is installed: # rpm -q tftp-server If the package is installed, this is a finding." - tag "fix": "The \"tftp-server\" package can be removed with the following + desc 'fix', "The \"tftp-server\" package can be removed with the following command: # yum erase tftp-server" diff --git a/controls/V-38607.rb b/controls/V-38607.rb index 29934c4..2283dbd 100644 --- a/controls/V-38607.rb +++ b/controls/V-38607.rb @@ -2,7 +2,7 @@ title "The SSH daemon must be configured to use only the SSHv2 protocol." desc "SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000112" tag "gid": "V-38607" tag "rid": "SV-50408r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check which SSH protocol version is allowed, run the + desc 'check', "To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config @@ -31,7 +31,7 @@ If it is not, this is a finding." - tag "fix": "Only SSH protocol version 2 connections should be permitted. The + desc 'fix', "Only SSH protocol version 2 connections should be permitted. The default setting in \"/etc/ssh/sshd_config\" is correct, and can be verified by ensuring that the following line appears: diff --git a/controls/V-38608.rb b/controls/V-38608.rb index 6471298..715ae25 100644 --- a/controls/V-38608.rb +++ b/controls/V-38608.rb @@ -2,7 +2,7 @@ title "The SSH daemon must set a timeout interval on idle sessions." desc "Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000163" tag "gid": "V-38608" tag "rid": "SV-50409r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to see what the timeout interval is: + desc 'check', "Run the following command to see what the timeout interval is: # grep ClientAliveInterval /etc/ssh/sshd_config @@ -30,7 +30,7 @@ If it is not, this is a finding." - tag "fix": "SSH allows administrators to set an idle timeout interval. After + desc 'fix', "SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. To set an idle timeout interval, edit the following line in diff --git a/controls/V-38609.rb b/controls/V-38609.rb index 90fe1c7..2f3e8e3 100644 --- a/controls/V-38609.rb +++ b/controls/V-38609.rb @@ -2,7 +2,7 @@ title "The TFTP service must not be running." desc "Disabling the \"tftp\" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000248" tag "gid": "V-38609" tag "rid": "SV-50410r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"tftp\" service is disabled in system boot + desc 'check', "To check that the \"tftp\" service is disabled in system boot configuration, run the following command: # chkconfig \"tftp\" --list @@ -35,7 +35,7 @@ If the service is running, this is a finding." - tag "fix": "The \"tftp\" service should be disabled. The \"tftp\" service can + desc 'fix', "The \"tftp\" service should be disabled. The \"tftp\" service can be disabled with the following command: # chkconfig tftp off" diff --git a/controls/V-38610.rb b/controls/V-38610.rb index efe7009..c774038 100644 --- a/controls/V-38610.rb +++ b/controls/V-38610.rb @@ -2,7 +2,7 @@ title "The SSH daemon must set a timeout count on idle sessions." desc "This ensures a user login will be terminated as soon as the \"ClientAliveCountMax\" is reached." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000126" tag "gid": "V-38610" tag "rid": "SV-50411r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the SSH idle timeout will occur when the + desc 'check', "To ensure the SSH idle timeout will occur when the \"ClientAliveCountMax\" is set, run the following command: # grep ClientAliveCountMax /etc/ssh/sshd_config @@ -31,7 +31,7 @@ If it is not, this is a finding." - tag "fix": "To ensure the SSH idle timeout occurs precisely when the + desc 'fix', "To ensure the SSH idle timeout occurs precisely when the \"ClientAliveCountMax\" is set, edit \"/etc/ssh/sshd_config\" as follows: ClientAliveCountMax 0" diff --git a/controls/V-38611.rb b/controls/V-38611.rb index e778811..2f5a4b4 100644 --- a/controls/V-38611.rb +++ b/controls/V-38611.rb @@ -2,7 +2,7 @@ title "The SSH daemon must ignore .rhosts files." desc "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000106" tag "gid": "V-38611" tag "rid": "SV-50412r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine how the SSH daemon's \"IgnoreRhosts\" option is + desc 'check', "To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command: # grep -i IgnoreRhosts /etc/ssh/sshd_config @@ -28,7 +28,7 @@ If no line, a commented line, or a line indicating the value \"yes\" is returned, then the required value is set. If the required value is not set, this is a finding." - tag "fix": "SSH can emulate the behavior of the obsolete rsh command in + desc 'fix', "SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via \".rhosts\" files. diff --git a/controls/V-38612.rb b/controls/V-38612.rb index 6bea8b1..5b0c64a 100644 --- a/controls/V-38612.rb +++ b/controls/V-38612.rb @@ -2,7 +2,7 @@ title "The SSH daemon must not allow host-based authentication." desc "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000106" tag "gid": "V-38612" tag "rid": "SV-50413r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine how the SSH daemon's \"HostbasedAuthentication\" + desc 'check', "To determine how the SSH daemon's \"HostbasedAuthentication\" option is set, run the following command: # grep -i HostbasedAuthentication /etc/ssh/sshd_config @@ -28,7 +28,7 @@ If no line, a commented line, or a line indicating the value \"no\" is returned, then the required value is set. If the required value is not set, this is a finding." - tag "fix": "SSH's cryptographic host-based authentication is more secure than + desc 'fix', "SSH's cryptographic host-based authentication is more secure than \".rhosts\" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. diff --git a/controls/V-38613.rb b/controls/V-38613.rb index 2ee428b..7d8128b 100644 --- a/controls/V-38613.rb +++ b/controls/V-38613.rb @@ -4,7 +4,7 @@ desc "Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000109" tag "gid": "V-38613" tag "rid": "SV-50414r1_rule" @@ -22,14 +22,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine how the SSH daemon's \"PermitRootLogin\" option is + desc 'check', "To determine how the SSH daemon's \"PermitRootLogin\" option is set, run the following command: # grep -i PermitRootLogin /etc/ssh/sshd_config If a line indicating \"no\" is returned, then the required value is set. If the required value is not set, this is a finding." - tag "fix": "The root user should never be allowed to log in to a system + desc 'fix', "The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in \"/etc/ssh/sshd_config\": diff --git a/controls/V-38614.rb b/controls/V-38614.rb index a2521cb..938e376 100644 --- a/controls/V-38614.rb +++ b/controls/V-38614.rb @@ -3,7 +3,7 @@ desc "Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000106" tag "gid": "V-38614" tag "rid": "SV-50415r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" + desc 'check', "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config @@ -29,7 +29,7 @@ If no line, a commented line, or a line indicating the value \"no\" is returned, then the required value is set. If the required value is not set, this is a finding." - tag "fix": "To explicitly disallow remote login from accounts with empty + desc 'fix', "To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in \"/etc/ssh/sshd_config\": PermitEmptyPasswords no diff --git a/controls/V-38615.rb b/controls/V-38615.rb index 2c6c78c..338fdf6 100644 --- a/controls/V-38615.rb +++ b/controls/V-38615.rb @@ -5,7 +5,7 @@ process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000023" tag "gid": "V-38615" tag "rid": "SV-50416r1_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine how the SSH daemon's \"Banner\" option is set, run + desc 'check', "To determine how the SSH daemon's \"Banner\" option is set, run the following command: # grep -i Banner /etc/ssh/sshd_config If a line indicating /etc/issue is returned, then the required value is set. If the required value is not set, this is a finding." - tag "fix": "To enable the warning banner and ensure it is consistent across + desc 'fix', "To enable the warning banner and ensure it is consistent across the system, add or correct the following line in \"/etc/ssh/sshd_config\": Banner /etc/issue diff --git a/controls/V-38616.rb b/controls/V-38616.rb index 7fcfdf4..225f67c 100644 --- a/controls/V-38616.rb +++ b/controls/V-38616.rb @@ -2,7 +2,7 @@ title "The SSH daemon must not permit user environment settings." desc "SSH environment options potentially allow users to bypass access restriction in some configurations." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000242" tag "gid": "V-38616" tag "rid": "SV-50417r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure users are not able to present environment daemons, + desc 'check', "To ensure users are not able to present environment daemons, run the following command: # grep PermitUserEnvironment /etc/ssh/sshd_config @@ -31,7 +31,7 @@ If it is not, this is a finding." - tag "fix": "To ensure users are not able to present environment options to + desc 'fix', "To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in \"/etc/ssh/sshd_config\": PermitUserEnvironment no" diff --git a/controls/V-38617.rb b/controls/V-38617.rb index 96ed57a..569eb18 100644 --- a/controls/V-38617.rb +++ b/controls/V-38617.rb @@ -3,7 +3,7 @@ ciphers." desc "Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000169" tag "gid": "V-38617" tag "rid": "SV-50418r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Only FIPS-approved ciphers should be used. To verify that only + desc 'check', "Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: # grep Ciphers /etc/ssh/sshd_config @@ -29,7 +29,7 @@ The output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. If that is not the case, this is a finding." - tag "fix": "Limit the ciphers to those algorithms which are FIPS-approved. + desc 'fix', "Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in \"/etc/ssh/sshd_config\" demonstrates use of FIPS-approved ciphers: diff --git a/controls/V-38618.rb b/controls/V-38618.rb index a8205d7..2b96804 100644 --- a/controls/V-38618.rb +++ b/controls/V-38618.rb @@ -3,7 +3,7 @@ desc "Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38618" tag "rid": "SV-50419r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"avahi-daemon\" service is disabled in + desc 'check', "To check that the \"avahi-daemon\" service is disabled in system boot configuration, run the following command: # chkconfig \"avahi-daemon\" --list @@ -44,7 +44,7 @@ If the service is running, this is a finding." - tag "fix": "The \"avahi-daemon\" service can be disabled with the following + desc 'fix', "The \"avahi-daemon\" service can be disabled with the following commands: # chkconfig avahi-daemon off diff --git a/controls/V-38619.rb b/controls/V-38619.rb index ae625b2..0f158c0 100644 --- a/controls/V-38619.rb +++ b/controls/V-38619.rb @@ -3,7 +3,7 @@ desc "Unencrypted passwords for remote FTP servers may be stored in \".netrc\" files. DoD policy requires passwords be encrypted in storage and not used in access scripts." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000073" tag "gid": "V-38619" tag "rid": "SV-50420r2_rule" @@ -21,13 +21,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the system for the existence of any \".netrc\" files, + desc 'check', "To check the system for the existence of any \".netrc\" files, run the following command: $ sudo find /root /home -xdev -name .netrc If any .netrc files exist, this is a finding." - tag "fix": "The \".netrc\" files contain logon information used to auto-logon + desc 'fix', "The \".netrc\" files contain logon information used to auto-logon into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any \".netrc\" files diff --git a/controls/V-38620.rb b/controls/V-38620.rb index 250f4f7..d51a5df 100644 --- a/controls/V-38620.rb +++ b/controls/V-38620.rb @@ -7,7 +7,7 @@ other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000056" tag "gid": "V-38620" tag "rid": "SV-50421r1_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine the current status of + desc 'check', "Run the following command to determine the current status of the \"ntpd\" service: # service ntpd status @@ -36,7 +36,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"ntpd\" service can be enabled with the following command: + desc 'fix', "The \"ntpd\" service can be enabled with the following command: # chkconfig ntpd on # service ntpd start" diff --git a/controls/V-38621.rb b/controls/V-38621.rb index 5d12db5..dc6c92d 100644 --- a/controls/V-38621.rb +++ b/controls/V-38621.rb @@ -4,7 +4,7 @@ desc "Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000056" tag "gid": "V-38621" tag "rid": "SV-50422r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "A remote NTP server should be configured for time + desc 'check', "A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. /etc/ntp.conf @@ -34,7 +34,7 @@ If this is not the case, this is a finding." - tag "fix": "To specify a remote NTP server for time synchronization, edit the + desc 'fix', "To specify a remote NTP server for time synchronization, edit the file \"/etc/ntp.conf\". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. diff --git a/controls/V-38622.rb b/controls/V-38622.rb index 550be95..e83f916 100644 --- a/controls/V-38622.rb +++ b/controls/V-38622.rb @@ -3,7 +3,7 @@ desc "This ensures \"postfix\" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38622" tag "rid": "SV-50423r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is an authorized mail relay host, this is not + desc 'check', "If the system is an authorized mail relay host, this is not applicable. Run the following command to ensure postfix accepts mail messages from only the @@ -31,7 +31,7 @@ If properly configured, the output should show only \"localhost\". If it does not, this is a finding." - tag "fix": "Edit the file \"/etc/postfix/main.cf\" to ensure that only the + desc 'fix', "Edit the file \"/etc/postfix/main.cf\" to ensure that only the following \"inet_interfaces\" line appears: inet_interfaces = localhost" diff --git a/controls/V-38623.rb b/controls/V-38623.rb index 01f2072..a0da93c 100644 --- a/controls/V-38623.rb +++ b/controls/V-38623.rb @@ -4,7 +4,7 @@ desc "Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000206" tag "gid": "V-38623" tag "rid": "SV-50424r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The file permissions for all log files written by rsyslog + desc 'check', "The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". For each log file [LOGFILE] referenced in @@ -36,7 +36,7 @@ from consideration. If the permissions are not correct, this is a finding." - tag "fix": "The file permissions for all log files written by rsyslog should + desc 'fix', "The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in \"/etc/rsyslog.conf\" and typically all appear in \"/var/log\". For each log file [LOGFILE] referenced in diff --git a/controls/V-38624.rb b/controls/V-38624.rb index 48dcf41..2826dd7 100644 --- a/controls/V-38624.rb +++ b/controls/V-38624.rb @@ -3,7 +3,7 @@ desc "Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38624" tag "rid": "SV-50425r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following commands to determine the current status of + desc 'check', "Run the following commands to determine the current status of the \"logrotate\" service: # grep logrotate /var/log/cron* If the logrotate service is not run on a daily basis by cron, this is a finding." - tag "fix": "The \"logrotate\" service should be installed or reinstalled if + desc 'fix', "The \"logrotate\" service should be installed or reinstalled if it is not installed and operating properly, by running the following command: # yum reinstall logrotate" diff --git a/controls/V-38627.rb b/controls/V-38627.rb index 9f4f714..03d9113 100644 --- a/controls/V-38627.rb +++ b/controls/V-38627.rb @@ -2,7 +2,7 @@ title "The openldap-servers package must not be installed unless required." desc "Unnecessary packages should not be installed to decrease the attack surface of the system." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38627" tag "rid": "SV-50428r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the \"openldap-servers\" package is not installed, + desc 'check', "To verify the \"openldap-servers\" package is not installed, run the following command: $ rpm -q openldap-servers @@ -31,7 +31,7 @@ If it does not, this is a finding." - tag "fix": "The \"openldap-servers\" package should be removed if not in use. + desc 'fix', "The \"openldap-servers\" package should be removed if not in use. # yum erase openldap-servers diff --git a/controls/V-38628.rb b/controls/V-38628.rb index 8f3a1ca..c5f81e3 100644 --- a/controls/V-38628.rb +++ b/controls/V-38628.rb @@ -5,7 +5,7 @@ desc "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000255" tag "gid": "V-38628" tag "rid": "SV-50429r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine the current status of + desc 'check', "Run the following command to determine the current status of the \"auditd\" service: # service auditd status @@ -34,7 +34,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"auditd\" service is an essential userspace component of the + desc 'fix', "The \"auditd\" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The \"auditd\" service can be enabled with the following commands: diff --git a/controls/V-38629.rb b/controls/V-38629.rb index 1d155ba..54bfc6e 100644 --- a/controls/V-38629.rb +++ b/controls/V-38629.rb @@ -3,7 +3,7 @@ than 15 minutes." desc "Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000029" tag "gid": "V-38629" tag "rid": "SV-50430r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To check the current idle time-out value, run the following command: @@ -32,7 +32,7 @@ If properly configured, the output should be \"15\". If it is not, this is a finding." - tag "fix": "Run the following command to set the idle time-out value for + desc 'fix', "Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: # gconftool-2 \\ @@ -46,7 +46,7 @@ its('stdout.strip') { should cmp <= 15 } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38630.rb b/controls/V-38630.rb index cf06a15..a13bf31 100644 --- a/controls/V-38630.rb +++ b/controls/V-38630.rb @@ -7,7 +7,7 @@ real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000029" tag "gid": "V-38630" tag "rid": "SV-50431r3_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To check the screensaver mandatory use status, run the following command: @@ -36,7 +36,7 @@ If properly configured, the output should be \"true\". If it is not, this is a finding." - tag "fix": "Run the following command to activate the screensaver in the + desc 'fix', "Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: # gconftool-2 --direct \\ @@ -49,7 +49,7 @@ its('stdout.strip') { should eq 'true' } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38631.rb b/controls/V-38631.rb index 2a788e8..fc13b52 100644 --- a/controls/V-38631.rb +++ b/controls/V-38631.rb @@ -4,7 +4,7 @@ desc "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000032" tag "gid": "V-38631" tag "rid": "SV-50432r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine the current status of + desc 'check', "Run the following command to determine the current status of the \"auditd\" service: # service auditd status @@ -33,7 +33,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"auditd\" service is an essential userspace component of the + desc 'fix', "The \"auditd\" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The \"auditd\" service can be enabled with the following commands: diff --git a/controls/V-38632.rb b/controls/V-38632.rb index d28b9bb..b02a626 100644 --- a/controls/V-38632.rb +++ b/controls/V-38632.rb @@ -4,7 +4,7 @@ desc "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000037" tag "gid": "V-38632" tag "rid": "SV-50433r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine the current status of + desc 'check', "Run the following command to determine the current status of the \"auditd\" service: # service auditd status @@ -33,7 +33,7 @@ If the service is not running, this is a finding." - tag "fix": "The \"auditd\" service is an essential userspace component of the + desc 'fix', "The \"auditd\" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The \"auditd\" service can be enabled with the following commands: diff --git a/controls/V-38633.rb b/controls/V-38633.rb index 4fccad5..1ac0cf1 100644 --- a/controls/V-38633.rb +++ b/controls/V-38633.rb @@ -3,7 +3,7 @@ desc "The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38633" tag "rid": "SV-50434r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine how much data the system will retain in each audit log file: \"# grep max_log_file /etc/audit/auditd.conf\" @@ -30,7 +30,7 @@ If the system audit data threshold hasn't been properly set up, this is a finding." - tag "fix": "Determine the amount of audit data (in megabytes) which should be + desc 'fix', "Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file \"/etc/audit/auditd.conf\". Add or modify the following line, substituting the correct value for [STOREMB]: diff --git a/controls/V-38634.rb b/controls/V-38634.rb index 11b95d3..75ee22e 100644 --- a/controls/V-38634.rb +++ b/controls/V-38634.rb @@ -6,7 +6,7 @@ overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, \"keep_logs\" can be employed." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38634" tag "rid": "SV-50435r2_rule" @@ -24,7 +24,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: @@ -37,7 +37,7 @@ If the system has not been properly set up to rotate audit logs, this is a finding." - tag "fix": "The default action to take when the logs reach their maximum size + desc 'fix', "The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by \"auditd\", add or correct the line in \"/etc/audit/auditd.conf\": diff --git a/controls/V-38636.rb b/controls/V-38636.rb index a9d9558..2a957be 100644 --- a/controls/V-38636.rb +++ b/controls/V-38636.rb @@ -4,7 +4,7 @@ desc "The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38636" tag "rid": "SV-50437r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine how many logs the system is configured to retain after rotation: \"# grep num_logs /etc/audit/auditd.conf\" @@ -31,7 +31,7 @@ If the overall system log file(s) retention hasn't been properly set up, this is a finding." - tag "fix": "Determine how many log files \"auditd\" should retain when it + desc 'fix', "Determine how many log files \"auditd\" should retain when it rotates logs. Edit the file \"/etc/audit/auditd.conf\". Add or modify the following line, substituting [NUMLOGS] with the correct value: diff --git a/controls/V-38637.rb b/controls/V-38637.rb index d8d903d..7828b9c 100644 --- a/controls/V-38637.rb +++ b/controls/V-38637.rb @@ -4,7 +4,7 @@ desc "The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000278" tag "gid": "V-38637" tag "rid": "SV-50438r2_rule" @@ -22,14 +22,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which audit files on the system + desc 'check', "The following command will list which audit files on the system have file hashes different from what is expected by the RPM database. # rpm -V audit | awk '$1 ~ /..5/ && $2 != \"c\"' If there is output, this is a finding." - tag "fix": "The RPM package management system can check the hashes of audit + desc 'fix', "The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: diff --git a/controls/V-38638.rb b/controls/V-38638.rb index 5fcce02..fd1162a 100644 --- a/controls/V-38638.rb +++ b/controls/V-38638.rb @@ -3,7 +3,7 @@ desc "Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000029" tag "gid": "V-38638" tag "rid": "SV-50439r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To check the status of the idle screen lock activation, run the following command: @@ -32,7 +32,7 @@ If properly configured, the output should be \"true\". If it is not, this is a finding." - tag "fix": "Run the following command to activate locking of the screensaver + desc 'fix', "Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: # gconftool-2 --direct \\ @@ -45,7 +45,7 @@ its('stdout.strip') { should eq 'true' } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38639.rb b/controls/V-38639.rb index f906af1..962a61f 100644 --- a/controls/V-38639.rb +++ b/controls/V-38639.rb @@ -3,7 +3,7 @@ desktop environment session lock." desc "Setting the screensaver mode to blank-only conceals the contents of the display from passersby." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000031" tag "gid": "V-38639" tag "rid": "SV-50440r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To ensure the screensaver is configured to be blank, run the following command: @@ -30,7 +30,7 @@ If properly configured, the output should be \"blank-only\". If it is not, this is a finding." - tag "fix": "Run the following command to set the screensaver mode in the + desc 'fix', "Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: # gconftool-2 \\ @@ -44,7 +44,7 @@ its('stdout.strip') { should eq 'blank-only' } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38640.rb b/controls/V-38640.rb index 75608e9..323d9a6 100644 --- a/controls/V-38640.rb +++ b/controls/V-38640.rb @@ -3,7 +3,7 @@ desc "Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38640" tag "rid": "SV-50441r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"abrtd\" service is disabled in system boot + desc 'check', "To check that the \"abrtd\" service is disabled in system boot configuration, run the following command: # chkconfig \"abrtd\" --list @@ -43,7 +43,7 @@ If the service is running, this is a finding." - tag "fix": "The Automatic Bug Reporting Tool (\"abrtd\") daemon collects and + desc 'fix', "The Automatic Bug Reporting Tool (\"abrtd\") daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking diff --git a/controls/V-38641.rb b/controls/V-38641.rb index a8f6ff7..a85b226 100644 --- a/controls/V-38641.rb +++ b/controls/V-38641.rb @@ -4,7 +4,7 @@ carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with \"at\" or \"batch\" is not common." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38641" tag "rid": "SV-50442r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system requires the use of the \"atd\" service to + desc 'check', "If the system requires the use of the \"atd\" service to support an organizational requirement, this is not applicable. To check that the \"atd\" service is disabled in system boot configuration, run @@ -47,7 +47,7 @@ If the service is running, this is a finding." - tag "fix": "The \"at\" and \"batch\" commands can be used to schedule tasks + desc 'fix', "The \"at\" and \"batch\" commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon \"atd\" keeps track of tasks scheduled via \"at\" and \"batch\", and executes them at diff --git a/controls/V-38642.rb b/controls/V-38642.rb index 208c985..3a994a2 100644 --- a/controls/V-38642.rb +++ b/controls/V-38642.rb @@ -3,7 +3,7 @@ desc "The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38642" tag "rid": "SV-50443r1_rule" @@ -21,13 +21,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the value of the \"umask\", run the following command: + desc 'check', "To check the value of the \"umask\", run the following command: $ grep umask /etc/init.d/functions The output should show either \"022\" or \"027\". If it does not, this is a finding." - tag "fix": "The file \"/etc/init.d/functions\" includes initialization + desc 'fix', "The file \"/etc/init.d/functions\" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] diff --git a/controls/V-38643.rb b/controls/V-38643.rb index 3332439..171fa44 100644 --- a/controls/V-38643.rb +++ b/controls/V-38643.rb @@ -4,7 +4,7 @@ system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38643" tag "rid": "SV-50444r3_rule" @@ -22,14 +22,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To find world-writable files, run the following command for + desc 'check', "To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: # find [PART] -xdev -type f -perm -002 If there is output, this is a finding." - tag "fix": "It is generally a good idea to remove global (other) write access + desc 'fix', "It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account." diff --git a/controls/V-38644.rb b/controls/V-38644.rb index a9f9157..87ac8a5 100644 --- a/controls/V-38644.rb +++ b/controls/V-38644.rb @@ -4,7 +4,7 @@ rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38644" tag "rid": "SV-50445r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"ntpdate\" service is disabled in system + desc 'check', "To check that the \"ntpdate\" service is disabled in system boot configuration, run the following command: # chkconfig \"ntpdate\" --list @@ -44,7 +44,7 @@ If the service is running, this is a finding." - tag "fix": "The ntpdate service sets the local hardware clock by polling NTP + desc 'fix', "The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in \"/etc/ntp/step-tickers\" or \"/etc/ntp.conf\" and then sets the local hardware clock to the newly synchronized system time. The \"ntpdate\" service can be diff --git a/controls/V-38645.rb b/controls/V-38645.rb index 0027094..f79ddc2 100644 --- a/controls/V-38645.rb +++ b/controls/V-38645.rb @@ -3,7 +3,7 @@ desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38645" tag "rid": "SV-50446r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify the \"umask\" setting is configured correctly in the + desc 'check', "Verify the \"umask\" setting is configured correctly in the \"/etc/login.defs\" file by running the following command: # grep -i \"umask\" /etc/login.defs @@ -34,7 +34,7 @@ If the above command returns no output, or if the umask is configured incorrectly, this is a finding." - tag "fix": "To ensure the default umask controlled by \"/etc/login.defs\" is + desc 'fix', "To ensure the default umask controlled by \"/etc/login.defs\" is set properly, add or correct the \"umask\" setting in \"/etc/login.defs\" to read as follows: diff --git a/controls/V-38646.rb b/controls/V-38646.rb index bb0a850..3d686bf 100644 --- a/controls/V-38646.rb +++ b/controls/V-38646.rb @@ -4,7 +4,7 @@ environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38646" tag "rid": "SV-50447r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"oddjobd\" service is disabled in system + desc 'check', "To check that the \"oddjobd\" service is disabled in system boot configuration, run the following command: # chkconfig \"oddjobd\" --list @@ -44,7 +44,7 @@ If the service is running, this is a finding." - tag "fix": "The \"oddjobd\" service exists to provide an interface and access + desc 'fix', "The \"oddjobd\" service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with \"oddjobd\" is through the system message bus. The \"oddjobd\" service can be disabled with the following diff --git a/controls/V-38647.rb b/controls/V-38647.rb index 8980d39..7713ac4 100644 --- a/controls/V-38647.rb +++ b/controls/V-38647.rb @@ -3,7 +3,7 @@ desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38647" tag "rid": "SV-50448r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify the \"umask\" setting is configured correctly in the + desc 'check', "Verify the \"umask\" setting is configured correctly in the \"/etc/profile\" file by running the following command: # grep \"umask\" /etc/profile @@ -34,7 +34,7 @@ If the above command returns no output, or if the umask is configured incorrectly, this is a finding." - tag "fix": "To ensure the default umask controlled by \"/etc/profile\" is set + desc 'fix', "To ensure the default umask controlled by \"/etc/profile\" is set properly, add or correct the \"umask\" setting in \"/etc/profile\" to read as follows: diff --git a/controls/V-38648.rb b/controls/V-38648.rb index f017ec6..100f0a0 100644 --- a/controls/V-38648.rb +++ b/controls/V-38648.rb @@ -5,7 +5,7 @@ network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the \"qpidd\" service is not needed and should be disabled or removed." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38648" tag "rid": "SV-50449r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"qpidd\" service is disabled in system boot + desc 'check', "To check that the \"qpidd\" service is disabled in system boot configuration, run the following command: # chkconfig \"qpidd\" --list @@ -45,7 +45,7 @@ If the service is running, this is a finding." - tag "fix": "The \"qpidd\" service provides high speed, secure, guaranteed + desc 'fix', "The \"qpidd\" service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. The \"qpidd\" service can be disabled with the following diff --git a/controls/V-38649.rb b/controls/V-38649.rb index 12e0e62..86d7884 100644 --- a/controls/V-38649.rb +++ b/controls/V-38649.rb @@ -3,7 +3,7 @@ desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38649" tag "rid": "SV-50450r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify the \"umask\" setting is configured correctly in the + desc 'check', "Verify the \"umask\" setting is configured correctly in the \"/etc/csh.cshrc\" file by running the following command: # grep \"umask\" /etc/csh.cshrc @@ -34,7 +34,7 @@ If the above command returns no output, or if the umask is configured incorrectly, this is a finding." - tag "fix": "To ensure the default umask for users of the C shell is set + desc 'fix', "To ensure the default umask for users of the C shell is set properly, add or correct the \"umask\" setting in \"/etc/csh.cshrc\" to read as follows: diff --git a/controls/V-38650.rb b/controls/V-38650.rb index 0e5930e..45f4f25 100644 --- a/controls/V-38650.rb +++ b/controls/V-38650.rb @@ -4,7 +4,7 @@ information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38650" tag "rid": "SV-50451r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"rdisc\" service is disabled in system boot + desc 'check', "To check that the \"rdisc\" service is disabled in system boot configuration, run the following command: # chkconfig \"rdisc\" --list @@ -44,7 +44,7 @@ If the service is running, this is a finding." - tag "fix": "The \"rdisc\" service implements the client side of the ICMP + desc 'fix', "The \"rdisc\" service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. diff --git a/controls/V-38651.rb b/controls/V-38651.rb index 0db82c7..dc63a1e 100644 --- a/controls/V-38651.rb +++ b/controls/V-38651.rb @@ -3,7 +3,7 @@ desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38651" tag "rid": "SV-50452r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify the \"umask\" setting is configured correctly in the + desc 'check', "Verify the \"umask\" setting is configured correctly in the \"/etc/bashrc\" file by running the following command: # grep \"umask\" /etc/bashrc @@ -35,7 +35,7 @@ If the above command returns no output, or if the umask is configured incorrectly, this is a finding." - tag "fix": "To ensure the default umask for users of the Bash shell is set + desc 'fix', "To ensure the default umask for users of the Bash shell is set properly, add or correct the \"umask\" setting in \"/etc/bashrc\" to read as follows: diff --git a/controls/V-38652.rb b/controls/V-38652.rb index 6c19b60..3bb778c 100644 --- a/controls/V-38652.rb +++ b/controls/V-38652.rb @@ -2,7 +2,7 @@ title "Remote file systems must be mounted with the nodev option." desc "Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38652" tag "rid": "SV-50453r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the \"nodev\" option is configured for all NFS + desc 'check', "To verify the \"nodev\" option is configured for all NFS mounts, run the following command: $ mount | grep \"nfs \" @@ -28,7 +28,7 @@ All NFS mounts should show the \"nodev\" setting in parentheses, along with other mount options. If the setting does not show, this is a finding." - tag "fix": "Add the \"nodev\" option to the fourth column of \"/etc/fstab\" + desc 'fix', "Add the \"nodev\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of any NFS mounts." describe command('mount | grep \"nfs \"') do diff --git a/controls/V-38653.rb b/controls/V-38653.rb index daf5449..1bf6553 100644 --- a/controls/V-38653.rb +++ b/controls/V-38653.rb @@ -2,7 +2,7 @@ title "The snmpd service must not use a default password." desc "Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38653" tag "rid": "SV-50454r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the default password is not set, run the following + desc 'check', "To ensure the default password is not set, run the following command: # grep -v \"^#\" /etc/snmp/snmpd.conf| grep public There should be no output. If there is output, this is a finding." - tag "fix": "Edit \"/etc/snmp/snmpd.conf\", remove default community string + desc 'fix', "Edit \"/etc/snmp/snmpd.conf\", remove default community string \"public\". Upon doing that, restart the SNMP service: # service snmpd restart" diff --git a/controls/V-38654.rb b/controls/V-38654.rb index b550aa3..2e80695 100644 --- a/controls/V-38654.rb +++ b/controls/V-38654.rb @@ -3,7 +3,7 @@ desc "NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38654" tag "rid": "SV-50455r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the \"nosuid\" option is configured for all NFS + desc 'check', "To verify the \"nosuid\" option is configured for all NFS mounts, run the following command: $ mount | grep nfs @@ -29,7 +29,7 @@ All NFS mounts should show the \"nosuid\" setting in parentheses, along with other mount options. If the setting does not show, this is a finding." - tag "fix": "Add the \"nosuid\" option to the fourth column of \"/etc/fstab\" + desc 'fix', "Add the \"nosuid\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of any NFS mounts." describe command('mount | grep nfs') do diff --git a/controls/V-38655.rb b/controls/V-38655.rb index 62c5a92..0b1b6a1 100644 --- a/controls/V-38655.rb +++ b/controls/V-38655.rb @@ -2,7 +2,7 @@ title "The noexec option must be added to removable media partitions." desc "Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000035" tag "gid": "V-38655" tag "rid": "SV-50456r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that binaries cannot be directly executed from + desc 'check', "To verify that binaries cannot be directly executed from removable media, run the following command: # grep noexec /etc/fstab The output should show \"noexec\" in use. If it does not, this is a finding." - tag "fix": "The \"noexec\" mount option prevents the direct execution of + desc 'fix', "The \"noexec\" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The \"noexec\" option prevents code from being executed directly from the diff --git a/controls/V-38656.rb b/controls/V-38656.rb index 8db4ac7..b960dbc 100644 --- a/controls/V-38656.rb +++ b/controls/V-38656.rb @@ -3,7 +3,7 @@ using smbclient." desc "Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38656" tag "rid": "SV-50457r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that Samba clients running smbclient must use packet + desc 'check', "To verify that Samba clients running smbclient must use packet signing, run the following command: # grep signing /etc/samba/smb.conf @@ -32,7 +32,7 @@ If it is not, this is a finding." - tag "fix": "To require samba clients running \"smbclient\" to use packet + desc 'fix', "To require samba clients running \"smbclient\" to use packet signing, add the following to the \"[global]\" section of the Samba configuration file in \"/etc/samba/smb.conf\": diff --git a/controls/V-38657.rb b/controls/V-38657.rb index 39eb8b0..7366eda 100644 --- a/controls/V-38657.rb +++ b/controls/V-38657.rb @@ -3,7 +3,7 @@ using mount.cifs." desc "Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38657" tag "rid": "SV-50458r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If Samba is not in use, this is not applicable. + desc 'check', "If Samba is not in use, this is not applicable. To verify that Samba clients using mount.cifs must use packet signing, run the following command: @@ -30,7 +30,7 @@ The output should show either \"krb5i\" or \"ntlmv2i\" in use. If it does not, this is a finding." - tag "fix": "Require packet signing of clients who mount Samba shares using + desc 'fix', "Require packet signing of clients who mount Samba shares using the \"mount.cifs\" program (e.g., those who specify shares in \"/etc/fstab\"). To do so, ensure signing options (either \"sec=krb5i\" or \"sec=ntlmv2i\") are used. @@ -50,7 +50,7 @@ cifs_mounts = mounts.select { |mnt| mnt['type'] == 'cifs' } if cifs_mounts.empty? - impact 0.0 + impact 'none' describe "Samba shares not in use" do skip "Samba shares not in use, this control Not Applicable" end diff --git a/controls/V-38658.rb b/controls/V-38658.rb index f31b68b..2bcb009 100644 --- a/controls/V-38658.rb +++ b/controls/V-38658.rb @@ -3,7 +3,7 @@ iterations." desc "Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000077" tag "gid": "V-38658" tag "rid": "SV-50459r6_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the password reuse setting is compliant, run the + desc 'check', "To verify the password reuse setting is compliant, run the following command: # grep remember /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -29,7 +29,7 @@ If the line is commented out, the line does not contain \"password required pam_pwhistory.so\" or \"password requisite pam_pwhistory.so\", or the value for \"remember\" is less than \"5\", this is a finding." - tag "fix": "Do not allow users to reuse recent passwords. This can be + desc 'fix', "Do not allow users to reuse recent passwords. This can be accomplished by using the \"remember\" option for the \"pam_pwhistory\" PAM module. In the file \"/etc/pam.d/system-auth\" and /etc/pam.d/password-auth, append \"remember=5\" to the lines that refer to the \"pam_pwhistory.so\" diff --git a/controls/V-38659.rb b/controls/V-38659.rb index 37a0552..fad65f9 100644 --- a/controls/V-38659.rb +++ b/controls/V-38659.rb @@ -4,7 +4,7 @@ desc "The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000131" tag "gid": "V-38659" tag "rid": "SV-50460r2_rule" @@ -22,10 +22,10 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Determine if encryption must be used to protect data on the + desc 'check', "Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding." - tag "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption + desc 'fix', "Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. diff --git a/controls/V-38660.rb b/controls/V-38660.rb index b000bef..620cb03 100644 --- a/controls/V-38660.rb +++ b/controls/V-38660.rb @@ -4,7 +4,7 @@ allow unauthorized access to detailed system management information. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38660" tag "rid": "SV-50461r1_rule" @@ -22,14 +22,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure only SNMPv3 or newer is used, run the following + desc 'check', "To ensure only SNMPv3 or newer is used, run the following command: # grep 'v1\\|v2c\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#' There should be no output. If there is output, this is a finding." - tag "fix": "Edit \"/etc/snmp/snmpd.conf\", removing any references to \"v1\", + desc 'fix', "Edit \"/etc/snmp/snmpd.conf\", removing any references to \"v1\", \"v2c\", or \"com2sec\". Upon doing that, restart the SNMP service: # service snmpd restart" diff --git a/controls/V-38661.rb b/controls/V-38661.rb index e01dd19..278cbdb 100644 --- a/controls/V-38661.rb +++ b/controls/V-38661.rb @@ -4,7 +4,7 @@ desc "The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000185" tag "gid": "V-38661" tag "rid": "SV-50462r2_rule" @@ -22,10 +22,10 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Determine if encryption must be used to protect data on the + desc 'check', "Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding." - tag "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption + desc 'fix', "Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. diff --git a/controls/V-38662.rb b/controls/V-38662.rb index 0cc7bb4..462e802 100644 --- a/controls/V-38662.rb +++ b/controls/V-38662.rb @@ -5,7 +5,7 @@ desc "The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000230" tag "gid": "V-38662" tag "rid": "SV-50463r2_rule" @@ -23,10 +23,10 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Determine if encryption must be used to protect data on the + desc 'check', "Determine if encryption must be used to protect data on the system. If encryption must be used and is not employed, this is a finding." - tag "fix": "Red Hat Enterprise Linux 6 natively supports partition encryption + desc 'fix', "Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. diff --git a/controls/V-38663.rb b/controls/V-38663.rb index b0f6d7a..3be4039 100644 --- a/controls/V-38663.rb +++ b/controls/V-38663.rb @@ -5,7 +5,7 @@ generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000256" tag "gid": "V-38663" tag "rid": "SV-50464r1_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which audit files on the system + desc 'check', "The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' @@ -37,7 +37,7 @@ If the existing permissions are more permissive than those expected by RPM, this is a finding." - tag "fix": "The RPM package management system can restore file access + desc 'fix', "The RPM package management system can restore file access permissions of the audit package files and directories. The following command will update audit files with permissions different from what is expected by the RPM database: diff --git a/controls/V-38664.rb b/controls/V-38664.rb index 24ad93a..87d5ed9 100644 --- a/controls/V-38664.rb +++ b/controls/V-38664.rb @@ -5,7 +5,7 @@ could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000257" tag "gid": "V-38664" tag "rid": "SV-50465r1_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which audit files on the system + desc 'check', "The following command will list which audit files on the system have ownership different from what is expected by the RPM database: # rpm -V audit | grep '^.....U' If there is output, this is a finding." - tag "fix": "The RPM package management system can restore file ownership of + desc 'fix', "The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: diff --git a/controls/V-38665.rb b/controls/V-38665.rb index d8fef24..0acd444 100644 --- a/controls/V-38665.rb +++ b/controls/V-38665.rb @@ -5,7 +5,7 @@ incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000258" tag "gid": "V-38665" tag "rid": "SV-50466r1_rule" @@ -23,14 +23,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will list which audit files on the system + desc 'check', "The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: # rpm -V audit | grep '^......G' If there is output, this is a finding." - tag "fix": "The RPM package management system can restore file + desc 'fix', "The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: diff --git a/controls/V-38667.rb b/controls/V-38667.rb index 78b24ff..5bf89f5 100644 --- a/controls/V-38667.rb +++ b/controls/V-38667.rb @@ -5,7 +5,7 @@ provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000196" tag "gid": "V-38667" tag "rid": "SV-50468r3_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Ask the SA or ISSO if a host-based intrusion detection + desc 'check', "Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080 the preferred intrusion detection system is McAfee HBSS available through Cybercom. @@ -58,7 +58,7 @@ If no host-based intrusion detection system is installed and running on the system, this is a finding. " - tag "fix": "Install and enable the latest McAfee HIPS package, available from + desc 'fix', "Install and enable the latest McAfee HIPS package, available from Cybercom. If the system does not support the McAfee HIPS package, install and enable a diff --git a/controls/V-38668.rb b/controls/V-38668.rb index 255b1c7..a9e0876 100644 --- a/controls/V-38668.rb +++ b/controls/V-38668.rb @@ -6,7 +6,7 @@ availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38668" tag "rid": "SV-50469r4_rule" @@ -24,7 +24,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the system is configured to log a message instead of + desc 'check', "To ensure the system is configured to log a message instead of rebooting the system when Ctrl-Alt-Delete is pressed, ensure the following line is in \"/etc/init/control-alt-delete.override\": @@ -32,7 +32,7 @@ If the system is not configured to block the shutdown command when Ctrl-Alt-Delete is pressed, this is a finding. " - tag "fix": "By default, the system includes the following line in + desc 'fix', "By default, the system includes the following line in \"/etc/init/control-alt-delete.conf\" to reboot the system when the Ctrl-Alt-Delete key sequence is pressed: diff --git a/controls/V-38669.rb b/controls/V-38669.rb index cb8f309..1e61d75 100644 --- a/controls/V-38669.rb +++ b/controls/V-38669.rb @@ -2,7 +2,7 @@ title "The postfix service must be enabled for mail delivery." desc "Local mail delivery is essential to some system maintenance and notification tasks." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38669" tag "rid": "SV-50470r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine the current status of + desc 'check', "Run the following command to determine the current status of the \"postfix\" service: # service postfix status @@ -30,7 +30,7 @@ postfix is running... If the service is not enabled, this is a finding." - tag "fix": "The Postfix mail transfer agent is used for local mail delivery + desc 'fix', "The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The diff --git a/controls/V-38670.rb b/controls/V-38670.rb index 3c5d770..d0bbd34 100644 --- a/controls/V-38670.rb +++ b/controls/V-38670.rb @@ -3,7 +3,7 @@ information. " desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000202" tag "gid": "V-38670" tag "rid": "SV-50471r2_rule" @@ -21,13 +21,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine that periodic AIDE execution has been scheduled, + desc 'check', "To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding." - tag "fix": "AIDE should be executed on a periodic basis to check for changes. + desc 'fix', "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/controls/V-38671.rb b/controls/V-38671.rb index 0493830..3eecfcd 100644 --- a/controls/V-38671.rb +++ b/controls/V-38671.rb @@ -3,7 +3,7 @@ desc "The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38671" tag "rid": "SV-50472r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to determine if the \"sendmail\" + desc 'check', "Run the following command to determine if the \"sendmail\" package is installed: # rpm -q sendmail If the package is installed, this is a finding." - tag "fix": "Sendmail is not the default mail transfer agent and is not + desc 'fix', "Sendmail is not the default mail transfer agent and is not installed by default. The \"sendmail\" package can be removed with the following command: diff --git a/controls/V-38672.rb b/controls/V-38672.rb index e397ef2..1d0341a 100644 --- a/controls/V-38672.rb +++ b/controls/V-38672.rb @@ -2,7 +2,7 @@ title "The netconsole service must be disabled unless required." desc "The \"netconsole\" service is not necessary unless there is a need to debug kernel panics, which is not common." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000096" tag "gid": "V-38672" tag "rid": "SV-50473r2_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"netconsole\" service is disabled in system + desc 'check', "To check that the \"netconsole\" service is disabled in system boot configuration, run the following command: # chkconfig \"netconsole\" --list @@ -43,7 +43,7 @@ If the service is running, this is a finding." - tag "fix": "The \"netconsole\" service is responsible for loading the + desc 'fix', "The \"netconsole\" service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. The \"netconsole\" service can be disabled diff --git a/controls/V-38673.rb b/controls/V-38673.rb index 0a814c6..0e8b8f7 100644 --- a/controls/V-38673.rb +++ b/controls/V-38673.rb @@ -3,7 +3,7 @@ configuration changes detected are tracked." desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000265" tag "gid": "V-38673" tag "rid": "SV-50474r2_rule" @@ -21,13 +21,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine that periodic AIDE execution has been scheduled, + desc 'check', "To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding." - tag "fix": "AIDE should be executed on a periodic basis to check for changes. + desc 'fix', "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/controls/V-38674.rb b/controls/V-38674.rb index 6ac4f7d..d5e5bb3 100644 --- a/controls/V-38674.rb +++ b/controls/V-38674.rb @@ -2,7 +2,7 @@ title "X Windows must not be enabled unless required." desc "Unnecessary services should be disabled to decrease the attack surface of the system." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000248" tag "gid": "V-38674" tag "rid": "SV-50475r1_rule" @@ -20,7 +20,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the default runlevel is 3, run the following command: + desc 'check', "To verify the default runlevel is 3, run the following command: # grep initdefault /etc/inittab @@ -30,7 +30,7 @@ If it does not, this is a finding." - tag "fix": "Setting the system's runlevel to 3 will prevent automatic startup + desc 'fix', "Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in \"/etc/inittab\" features a \"3\" as shown: diff --git a/controls/V-38675.rb b/controls/V-38675.rb index f5a50b3..9c933e8 100644 --- a/controls/V-38675.rb +++ b/controls/V-38675.rb @@ -3,7 +3,7 @@ desc "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38675" tag "rid": "SV-50476r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that core dumps are disabled for all users, run the + desc 'check', "To verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf @@ -31,7 +31,7 @@ * hard core 0 If it is not, this is a finding. " - tag "fix": "To disable core dumps for all users, add the following line to + desc 'fix', "To disable core dumps for all users, add the following line to \"/etc/security/limits.conf\": * hard core 0" diff --git a/controls/V-38676.rb b/controls/V-38676.rb index 3a64efe..5846daf 100644 --- a/controls/V-38676.rb +++ b/controls/V-38676.rb @@ -3,7 +3,7 @@ unless required." desc "Unnecessary packages should not be installed to decrease the attack surface of the system." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38676" tag "rid": "SV-50477r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure the X Windows package group is removed, run the + desc 'check', "To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common @@ -32,7 +32,7 @@ If it is not, this is a finding." - tag "fix": "Removing all packages which constitute the X Window System + desc 'fix', "Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: diff --git a/controls/V-38677.rb b/controls/V-38677.rb index c75300a..8a03698 100644 --- a/controls/V-38677.rb +++ b/controls/V-38677.rb @@ -2,7 +2,7 @@ title "The NFS server must not have the insecure file locking option enabled." desc "Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-000104" tag "gid": "V-38677" tag "rid": "SV-50478r1_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify insecure file locking has been disabled, run the + desc 'check', "To verify insecure file locking has been disabled, run the following command: # grep insecure_locks /etc/exports If there is output, this is a finding." - tag "fix": "By default the NFS server requires secure file-lock requests, + desc 'fix', "By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the diff --git a/controls/V-38678.rb b/controls/V-38678.rb index a29ac29..f92f53c 100644 --- a/controls/V-38678.rb +++ b/controls/V-38678.rb @@ -4,7 +4,7 @@ capacity." desc "Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000048" tag "gid": "V-38678" tag "rid": "SV-50479r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: @@ -34,7 +34,7 @@ If the \"num_megabytes\" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding." - tag "fix": "The \"auditd\" service can be configured to take an action when + desc 'fix', "The \"auditd\" service can be configured to take an action when disk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [num_megabytes] appropriately: diff --git a/controls/V-38679.rb b/controls/V-38679.rb index 965cf89..c65a98d 100644 --- a/controls/V-38679.rb +++ b/controls/V-38679.rb @@ -4,7 +4,7 @@ trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38679" tag "rid": "SV-50480r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If DHCP is required by the organization, this is Not Applicable. + desc 'check', "If DHCP is required by the organization, this is Not Applicable. For each interface [IFACE] on the system (e.g. eth0), verify that DHCP is not being used: @@ -35,7 +35,7 @@ If no output is returned this is a finding. If BOOTPROTO is not set to \"none\", this is a finding. " - tag "fix": "For each interface [IFACE] on the system (e.g. eth0), edit + desc 'fix', "For each interface [IFACE] on the system (e.g. eth0), edit \"/etc/sysconfig/network-scripts/ifcfg-[IFACE]\" and make the following changes. diff --git a/controls/V-38680.rb b/controls/V-38680.rb index 4f38cb2..25c73ec 100644 --- a/controls/V-38680.rb +++ b/controls/V-38680.rb @@ -3,7 +3,7 @@ of audit log storage volume capacity issues." desc "Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000046" tag "gid": "V-38680" tag "rid": "SV-50481r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: @@ -30,7 +30,7 @@ If auditd is not configured to send emails per identified actions, this is a finding." - tag "fix": "The \"auditd\" service can be configured to send email to a + desc 'fix', "The \"auditd\" service can be configured to send email to a designated account in certain situations. Add or correct the following line in \"/etc/audit/auditd.conf\" to ensure that administrators are notified via email for those situations: diff --git a/controls/V-38681.rb b/controls/V-38681.rb index d504d06..a377085 100644 --- a/controls/V-38681.rb +++ b/controls/V-38681.rb @@ -2,7 +2,7 @@ title "All GIDs referenced in /etc/passwd must be defined in /etc/group" desc "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38681" tag "rid": "SV-50482r2_rule" @@ -20,14 +20,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure all GIDs referenced in /etc/passwd are defined in + desc 'check', "To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: # pwck -r | grep 'no group' There should be no output. If there is output, this is a finding." - tag "fix": "Add a group to the system for each GID referenced without a + desc 'fix', "Add a group to the system for each GID referenced without a corresponding group." describe command("pwck -r | grep 'no group'") do diff --git a/controls/V-38682.rb b/controls/V-38682.rb index b27a7ca..2ff56be 100644 --- a/controls/V-38682.rb +++ b/controls/V-38682.rb @@ -3,7 +3,7 @@ desc "If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000034" tag "gid": "V-38682" tag "rid": "SV-50483r5_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system is configured to prevent the loading of the + desc 'check', "If the system is configured to prevent the loading of the \"bluetooth\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as @@ -45,7 +45,7 @@ grep -v \"#\" If no line is returned, this is a finding." - tag "fix": "The kernel's module loading system can be configured to prevent + desc 'fix', "The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate \"/etc/modprobe.d\" configuration file to prevent the loading of the Bluetooth module: @@ -61,4 +61,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38683.rb b/controls/V-38683.rb index 329313d..7b4a045 100644 --- a/controls/V-38683.rb +++ b/controls/V-38683.rb @@ -1,7 +1,7 @@ control "V-38683" do title "All accounts on the system must have unique user or account names" desc "Unique usernames allow for accountability on the system." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000121" tag "gid": "V-38683" tag "rid": "SV-50484r1_rule" @@ -19,13 +19,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to check for duplicate account names: + desc 'check', "Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding." - tag "fix": "Change usernames, or delete accounts, so each has a unique name." + desc 'fix', "Change usernames, or delete accounts, so each has a unique name." describe command("pwck -rq") do its('stdout.strip') { should be_empty } diff --git a/controls/V-38684.rb b/controls/V-38684.rb index 9be66c5..0445c45 100644 --- a/controls/V-38684.rb +++ b/controls/V-38684.rb @@ -5,7 +5,7 @@ of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000027" tag "gid": "V-38684" tag "rid": "SV-50485r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to ensure the \"maxlogins\" value is + desc 'check', "Run the following command to ensure the \"maxlogins\" value is configured for all users on the system: $ grep \"maxlogins\" /etc/security/limits.conf /etc/security/limits.d/*.conf @@ -33,7 +33,7 @@ * hard maxlogins 10 If it is not similar, this is a finding. " - tag "fix": "Limiting the number of allowed users and sessions per user can + desc 'fix', "Limiting the number of allowed users and sessions per user can limit risks related to denial of service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per diff --git a/controls/V-38685.rb b/controls/V-38685.rb index 49b72fc..7526d7d 100644 --- a/controls/V-38685.rb +++ b/controls/V-38685.rb @@ -3,7 +3,7 @@ desc "When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000002" tag "gid": "V-38685" tag "rid": "SV-50486r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "For every temporary account, run the following command to + desc 'check', "For every temporary account, run the following command to obtain its account aging and expiration information: # chage -l [USER] @@ -29,7 +29,7 @@ Verify each of these accounts has an expiration date set as documented. If any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding." - tag "fix": "In the event temporary accounts are required, configure the + desc 'fix', "In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately: diff --git a/controls/V-38686.rb b/controls/V-38686.rb index 6a42f6a..39fbd74 100644 --- a/controls/V-38686.rb +++ b/controls/V-38686.rb @@ -5,7 +5,7 @@ applicable rules in the table are examined for a match. Setting the default policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000147" tag "gid": "V-38686" tag "rid": "SV-50487r2_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Run the following command to ensure the default \"FORWARD\" + desc 'check', "Run the following command to ensure the default \"FORWARD\" policy is \"DROP\": # iptables -nvL | grep -i forward @@ -32,7 +32,7 @@ If the default policy for the FORWARD chain is not set to DROP, this is a finding." - tag "fix": "To set the default policy to DROP (instead of ACCEPT) for the + desc 'fix', "To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in \"/etc/sysconfig/iptables\": diff --git a/controls/V-38687.rb b/controls/V-38687.rb index aaf4d3c..8a81abd 100644 --- a/controls/V-38687.rb +++ b/controls/V-38687.rb @@ -4,7 +4,7 @@ desc "Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000160" tag "gid": "V-38687" tag "rid": "SV-50488r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the system does not communicate over untrusted networks, + desc 'check', "If the system does not communicate over untrusted networks, this is not applicable. Run the following command to determine if the \"libreswan\" package is @@ -31,7 +31,7 @@ # rpm -q libreswan If the package is not installed, this is a finding." - tag "fix": "The \"libreswan\" package provides an implementation of IPsec and + desc 'fix', "The \"libreswan\" package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The \"libreswan\" package can be installed with the following command: diff --git a/controls/V-38688.rb b/controls/V-38688.rb index c3f1455..cce9336 100644 --- a/controls/V-38688.rb +++ b/controls/V-38688.rb @@ -3,7 +3,7 @@ graphical desktop environment login prompts." desc "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000024" tag "gid": "V-38688" tag "rid": "SV-50489r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To ensure a login warning banner is enabled, run the following: @@ -32,7 +32,7 @@ Search for the \"banner_message_enable\" schema. If properly configured, the \"default\" value should be \"true\". If it is not, this is a finding." - tag "fix": "To enable displaying a login warning banner in the GNOME Display + desc 'fix', "To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: # gconftool-2 --direct \\ @@ -48,7 +48,7 @@ its('stdout.strip') { should eq 'true' } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38689.rb b/controls/V-38689.rb index 3cd1144..593e277 100644 --- a/controls/V-38689.rb +++ b/controls/V-38689.rb @@ -4,7 +4,7 @@ prompts." desc "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000228" tag "gid": "V-38689" tag "rid": "SV-50490r5_rule" @@ -24,7 +24,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To ensure login warning banner text is properly set, run the following: @@ -62,7 +62,7 @@ If the DoD required banner text does not appear in the schema, this is a finding." - tag "fix": "To set the text shown by the GNOME Display Manager in the login + desc 'fix', "To set the text shown by the GNOME Display Manager in the login screen, run the following command: # gconftool-2 @@ -110,7 +110,7 @@ it { should eq attribute('banner_text').gsub(%r{[\r\n\s]}, '') } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-38690.rb b/controls/V-38690.rb index 30467b1..23b2437 100644 --- a/controls/V-38690.rb +++ b/controls/V-38690.rb @@ -4,7 +4,7 @@ desc "When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000123" tag "gid": "V-38690" tag "rid": "SV-50491r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "For every emergency account, run the following command to + desc 'check', "For every emergency account, run the following command to obtain its account aging and expiration information: # chage -l [USER] @@ -30,7 +30,7 @@ Verify each of these accounts has an expiration date set as documented. If any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding." - tag "fix": "In the event emergency accounts are required, configure the + desc 'fix', "In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately: diff --git a/controls/V-38691.rb b/controls/V-38691.rb index 4023883..634a7dc 100644 --- a/controls/V-38691.rb +++ b/controls/V-38691.rb @@ -4,7 +4,7 @@ attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000034" tag "gid": "V-38691" tag "rid": "SV-50492r2_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check that the \"bluetooth\" service is disabled in system + desc 'check', "To check that the \"bluetooth\" service is disabled in system boot configuration, run the following command: # chkconfig \"bluetooth\" --list @@ -35,7 +35,7 @@ If the service is configured to run, this is a finding." - tag "fix": "The \"bluetooth\" service can be disabled with the following + desc 'fix', "The \"bluetooth\" service can be disabled with the following command: # chkconfig bluetooth off diff --git a/controls/V-38692.rb b/controls/V-38692.rb index e538a1d..af34336 100644 --- a/controls/V-38692.rb +++ b/controls/V-38692.rb @@ -3,7 +3,7 @@ desc "Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials." - impact 0.3 + impact 'low' tag "gtitle": "GEN006660" tag "gid": "V-38692" tag "rid": "SV-50493r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the \"INACTIVE\" setting, run the following command: + desc 'check', "To verify the \"INACTIVE\" setting, run the following command: grep \"INACTIVE\" /etc/default/useradd @@ -32,7 +32,7 @@ INACTIVE=35 If it does not, this is a finding." - tag "fix": "To specify the number of days after a password expires (which + desc 'fix', "To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in \"/etc/default/useradd\", substituting \"[NUM_DAYS]\" appropriately: diff --git a/controls/V-38693.rb b/controls/V-38693.rb index d7713ef..6039220 100644 --- a/controls/V-38693.rb +++ b/controls/V-38693.rb @@ -3,7 +3,7 @@ consecutive repeating characters." desc "Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38693" tag "rid": "SV-50494r3_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check the maximum value for consecutive repeating + desc 'check', "To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth @@ -30,7 +30,7 @@ If \"maxrepeat\" is not found or is set to a value less than \"3\", this is a finding." - tag "fix": "The pam_cracklib module's \"maxrepeat\" parameter controls + desc 'fix', "The pam_cracklib module's \"maxrepeat\" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. diff --git a/controls/V-38694.rb b/controls/V-38694.rb index bd650a2..e804a6e 100644 --- a/controls/V-38694.rb +++ b/controls/V-38694.rb @@ -5,7 +5,7 @@ desc "Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000118" tag "gid": "V-38694" tag "rid": "SV-50495r1_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify the \"INACTIVE\" setting, run the following command: + desc 'check', "To verify the \"INACTIVE\" setting, run the following command: grep \"INACTIVE\" /etc/default/useradd @@ -34,7 +34,7 @@ INACTIVE=35 If it does not, this is a finding." - tag "fix": "To specify the number of days after a password expires (which + desc 'fix', "To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in \"/etc/default/useradd\", substituting \"[NUM_DAYS]\" appropriately: diff --git a/controls/V-38695.rb b/controls/V-38695.rb index c6ac88f..9217a88 100644 --- a/controls/V-38695.rb +++ b/controls/V-38695.rb @@ -5,7 +5,7 @@ libraries or binaries." desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000094" tag "gid": "V-38695" tag "rid": "SV-50496r2_rule" @@ -23,13 +23,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine that periodic AIDE execution has been scheduled, + desc 'check', "To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output or if aide is not run at least weekly, this is a finding." - tag "fix": "AIDE should be executed on a periodic basis to check for changes. + desc 'fix', "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/controls/V-38696.rb b/controls/V-38696.rb index 412c249..d29bf14 100644 --- a/controls/V-38696.rb +++ b/controls/V-38696.rb @@ -4,7 +4,7 @@ components/devices into the operating system." desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000098" tag "gid": "V-38696" tag "rid": "SV-50497r2_rule" @@ -22,13 +22,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine that periodic AIDE execution has been scheduled, + desc 'check', "To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding." - tag "fix": "AIDE should be executed on a periodic basis to check for changes. + desc 'fix', "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/controls/V-38697.rb b/controls/V-38697.rb index 4953743..c62b241 100644 --- a/controls/V-38697.rb +++ b/controls/V-38697.rb @@ -9,7 +9,7 @@ users for temporary file storage - such as /tmp - and for directories requiring global read/write access. " - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38697" tag "rid": "SV-50498r2_rule" @@ -27,7 +27,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To find world-writable directories that lack the sticky bit, + desc 'check', "To find world-writable directories that lack the sticky bit, run the following command for each local partition [PART]: # find [PART] -xdev -type d -perm -002 \\! -perm -1000 @@ -35,7 +35,7 @@ If any world-writable directories are missing the sticky bit, this is a finding." - tag "fix": "When the so-called 'sticky bit' is set on a directory, only the + desc 'fix', "When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's diff --git a/controls/V-38698.rb b/controls/V-38698.rb index 503d1d1..5ea16d7 100644 --- a/controls/V-38698.rb +++ b/controls/V-38698.rb @@ -5,7 +5,7 @@ defined frequency." desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000232" tag "gid": "V-38698" tag "rid": "SV-50499r2_rule" @@ -23,13 +23,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine that periodic AIDE execution has been scheduled, + desc 'check', "To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding." - tag "fix": "AIDE should be executed on a periodic basis to check for changes. + desc 'fix', "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/controls/V-38699.rb b/controls/V-38699.rb index 9e54a4e..0bcccc6 100644 --- a/controls/V-38699.rb +++ b/controls/V-38699.rb @@ -3,7 +3,7 @@ desc "Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38699" tag "rid": "SV-50500r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "The following command will discover and print world-writable + desc 'check', "The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]: @@ -30,7 +30,7 @@ If there is output, this is a finding." - tag "fix": "All directories in local partitions which are world-writable + desc 'fix', "All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate diff --git a/controls/V-38700.rb b/controls/V-38700.rb index ad12cd9..74bf41d 100644 --- a/controls/V-38700.rb +++ b/controls/V-38700.rb @@ -4,7 +4,7 @@ occurs. " desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000196" tag "gid": "V-38700" tag "rid": "SV-50501r2_rule" @@ -22,13 +22,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine that periodic AIDE execution has been scheduled, + desc 'check', "To determine that periodic AIDE execution has been scheduled, run the following command: # grep aide /etc/crontab /etc/cron.*/* If there is no output, this is a finding." - tag "fix": "AIDE should be executed on a periodic basis to check for changes. + desc 'fix', "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: diff --git a/controls/V-38701.rb b/controls/V-38701.rb index 94ab136..701d89c 100644 --- a/controls/V-38701.rb +++ b/controls/V-38701.rb @@ -4,7 +4,7 @@ desc "Using the \"-s\" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private." - impact 0.7 + impact 'high' tag "gtitle": "SRG-OS-999999" tag "gid": "V-38701" tag "rid": "SV-50502r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify \"tftp\" is configured by with the \"-s\" option by + desc 'check', "Verify \"tftp\" is configured by with the \"-s\" option by running the following command: grep \"server_args\" /etc/xinetd.d/tftp @@ -34,7 +34,7 @@ server_args = -s /var/lib/tftpboot If it does not, this is a finding." - tag "fix": "If running the \"tftp\" service is necessary, it should be + desc 'fix', "If running the \"tftp\" service is necessary, it should be configured to change its root directory at startup. To do so, ensure \"/etc/xinetd.d/tftp\" includes \"-s\" as a command line argument, as shown in the following example (which is also the default): diff --git a/controls/V-38702.rb b/controls/V-38702.rb index 021e0fa..c875c49 100644 --- a/controls/V-38702.rb +++ b/controls/V-38702.rb @@ -4,7 +4,7 @@ configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000037" tag "gid": "V-38702" tag "rid": "SV-50503r1_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Find if logging is applied to the ftp daemon. + desc 'check', "Find if logging is applied to the ftp daemon. Procedures: @@ -43,7 +43,7 @@ If xferlog_enable is missing, or is not set to yes, this is a finding." - tag "fix": "Add or correct the following configuration options within the + desc 'fix', "Add or correct the following configuration options within the \"vsftpd\" configuration file, located at \"/etc/vsftpd/vsftpd.conf\". xferlog_enable=YES diff --git a/controls/V-43150.rb b/controls/V-43150.rb index d2f4ee9..147c1da 100644 --- a/controls/V-43150.rb +++ b/controls/V-43150.rb @@ -3,7 +3,7 @@ desc "Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-43150" tag "rid": "SV-55880r2_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If the GConf2 package is not installed, this is not applicable. + desc 'check', "If the GConf2 package is not installed, this is not applicable. To ensure the user list is disabled, run the following command: @@ -30,7 +30,7 @@ --get /apps/gdm/simple-greeter/disable_user_list The output should be \"true\". If it is not, this is a finding. " - tag "fix": "In the default graphical environment, users logging directly into + desc 'fix', "In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled. @@ -45,7 +45,7 @@ its('stdout.strip') { should eq 'true' } end else - impact 0.0 + impact 'none' describe "Package GConf2 not installed" do skip "Package GConf2 not installed, this control Not Applicable" end diff --git a/controls/V-51337.rb b/controls/V-51337.rb index 7d4391a..a3f44ff 100644 --- a/controls/V-51337.rb +++ b/controls/V-51337.rb @@ -3,7 +3,7 @@ desc "Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-51337" tag "rid": "SV-65547r2_rule" @@ -21,11 +21,11 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/boot/grub/grub.conf\" for any instances of + desc 'check', "Inspect \"/boot/grub/grub.conf\" for any instances of \"selinux=0\" in the kernel boot arguments. Presence of \"selinux=0\" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding." - tag "fix": "SELinux can be disabled at boot time by an argument in + desc 'fix', "SELinux can be disabled at boot time by an argument in \"/boot/grub/grub.conf\". Remove any instances of \"selinux=0\" from the kernel arguments in that file to prevent SELinux from being disabled at boot. " diff --git a/controls/V-51363.rb b/controls/V-51363.rb index 1823408..b9951a9 100644 --- a/controls/V-51363.rb +++ b/controls/V-51363.rb @@ -5,7 +5,7 @@ confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-51363" tag "rid": "SV-65573r1_rule" @@ -23,13 +23,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Check the file \"/etc/selinux/config\" and ensure the following + desc 'check', "Check the file \"/etc/selinux/config\" and ensure the following line appears: SELINUX=enforcing If SELINUX is not set to enforcing, this is a finding. " - tag "fix": "The SELinux state should be set to \"enforcing\" at system boot + desc 'fix', "The SELinux state should be set to \"enforcing\" at system boot time. In the file \"/etc/selinux/config\", add or correct the following line to configure the system to boot into enforcing mode: diff --git a/controls/V-51369.rb b/controls/V-51369.rb index d6a48bb..297ba01 100644 --- a/controls/V-51369.rb +++ b/controls/V-51369.rb @@ -4,7 +4,7 @@ desc "Setting the SELinux policy to \"targeted\" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. " - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-51369" tag "rid": "SV-65579r1_rule" @@ -22,13 +22,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Check the file \"/etc/selinux/config\" and ensure the following + desc 'check', "Check the file \"/etc/selinux/config\" and ensure the following line appears: SELINUXTYPE=targeted If it does not, this is a finding. " - tag "fix": "The SELinux \"targeted\" policy is appropriate for + desc 'fix', "The SELinux \"targeted\" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in \"/etc/selinux/config\": diff --git a/controls/V-51379.rb b/controls/V-51379.rb index a6189dd..4db372e 100644 --- a/controls/V-51379.rb +++ b/controls/V-51379.rb @@ -3,7 +3,7 @@ Module." desc "If a device file carries the SELinux type \"unlabeled_t\", then SELinux cannot properly restrict access to the device file. " - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-999999" tag "gid": "V-51379" tag "rid": "SV-65589r1_rule" @@ -21,14 +21,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To check for unlabeled device files, run the following command: + desc 'check', "To check for unlabeled device files, run the following command: # ls -RZ /dev | grep unlabeled_t It should produce no output in a well-configured system. If there is output, this is a finding. " - tag "fix": "Device files, which are used for communication with important + desc 'fix', "Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type \"unlabeled_t\", investigate the cause and correct the file's context. " diff --git a/controls/V-51391.rb b/controls/V-51391.rb index b5d19ee..6e425b0 100644 --- a/controls/V-51391.rb +++ b/controls/V-51391.rb @@ -3,7 +3,7 @@ desc "For AIDE to be effective, an initial database of \"known-good\" information about files must be captured and it should be able to be verified against the installed files. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000232" tag "gid": "V-51391" tag "rid": "SV-65601r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To find the location of the AIDE database file, run the + desc 'check', "To find the location of the AIDE database file, run the following command: # grep DBDIR /etc/aide.conf @@ -32,7 +32,7 @@ # ls -l [DBDIR]/[database_file_name] If there is no database file, this is a finding. " - tag "fix": "Run the following command to generate a new database: + desc 'fix', "Run the following command to generate a new database: # /usr/sbin/aide --init diff --git a/controls/V-51875.rb b/controls/V-51875.rb index 19ed47a..ca7f5a1 100644 --- a/controls/V-51875.rb +++ b/controls/V-51875.rb @@ -7,7 +7,7 @@ attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-51875" tag "rid": "SV-66089r1_rule" @@ -25,14 +25,14 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To ensure that last logon/access notification is configured + desc 'check', "To ensure that last logon/access notification is configured correctly, run the following command: # grep pam_lastlog.so /etc/pam.d/system-auth The output should show output \"showfailed\". If that is not the case, this is a finding. " - tag "fix": "To configure the system to notify users of last logon/access + desc 'fix', "To configure the system to notify users of last logon/access using \"pam_lastlog\", add the following line immediately after \"session required pam_limits.so\": diff --git a/controls/V-54381.rb b/controls/V-54381.rb index b546417..218e461 100644 --- a/controls/V-54381.rb +++ b/controls/V-54381.rb @@ -4,7 +4,7 @@ desc "Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-54381" tag "rid": "SV-68627r3_rule" @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + desc 'check', "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: @@ -30,7 +30,7 @@ If the system is not configured to switch to single-user mode, suspend, or halt for corrective action, this is a finding. " - tag "fix": "The \"auditd\" service can be configured to take an action when + desc 'fix', "The \"auditd\" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file \"/etc/audit/auditd.conf\". Add or modify the following line, substituting [ACTION] appropriately: diff --git a/controls/V-57569.rb b/controls/V-57569.rb index 0045afa..00a4be7 100644 --- a/controls/V-57569.rb +++ b/controls/V-57569.rb @@ -3,7 +3,7 @@ desc "Allowing users to execute binaries from world-writable directories such as \"/tmp\" should never be necessary in normal operation and can expose the system to potential compromise." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-999999" tag "gid": "V-57569" tag "rid": "SV-71919r1_rule" @@ -21,7 +21,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To verify that binaries cannot be directly executed from the + desc 'check', "To verify that binaries cannot be directly executed from the /tmp directory, run the following command: $ grep '\\s/tmp' /etc/fstab @@ -29,7 +29,7 @@ The resulting output will show whether the /tmp partition has the \"noexec\" flag set. If the /tmp partition does not have the noexec flag set, this is a finding." - tag "fix": "The \"noexec\" mount option can be used to prevent binaries from + desc 'fix', "The \"noexec\" mount option can be used to prevent binaries from being executed out of \"/tmp\". Add the \"noexec\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of \"/tmp\"." diff --git a/controls/V-58901.rb b/controls/V-58901.rb index ff24d36..5df771e 100644 --- a/controls/V-58901.rb +++ b/controls/V-58901.rb @@ -7,7 +7,7 @@ file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts." - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000373" tag "gid": "V-58901" tag "rid": "SV-73331r2_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "If passwords are not being used for authentication, this is Not + desc 'check', "If passwords are not being used for authentication, this is Not Applicable. Verify neither the \"NOPASSWD\" option nor the \"!authenticate\" option is @@ -38,7 +38,7 @@ If the \"NOPASSWD\" or \"!authenticate\" options are configured for use in \"/etc/sudoers\" or associated files, this is a finding." - tag "fix": "Update the \"/etc/sudoers\" or other sudo configuration files to + desc 'fix', "Update the \"/etc/sudoers\" or other sudo configuration files to remove or comment out lines utilizing the \"NOPASSWD\" and \"!authenticate\" options. diff --git a/controls/V-72817.rb b/controls/V-72817.rb index bead041..e5da65b 100644 --- a/controls/V-72817.rb +++ b/controls/V-72817.rb @@ -7,7 +7,7 @@ malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources." - impact 0.5 + impact 'medium' tag "gtitle": "RHEL-06-000293" tag "gid": "V-72817" tag "rid": "SV-87461r1_rule" @@ -25,7 +25,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "This is N/A for systems that do not have wireless network + desc 'check', "This is N/A for systems that do not have wireless network adapters. Verify that there are no wireless interfaces configured on the system: @@ -59,7 +59,7 @@ If a wireless interface is configured and has not been documented and approved, this is a finding. " - tag "fix": "Configure the system to disable all wireless network interfaces." + desc 'fix', "Configure the system to disable all wireless network interfaces." wlans = command('ls /sys/class/net').stdout.split.select { |e| e.start_with? 'wlan' } diff --git a/controls/V-81441.rb b/controls/V-81441.rb index 95f3b4e..e69dd7b 100644 --- a/controls/V-81441.rb +++ b/controls/V-81441.rb @@ -5,7 +5,7 @@ nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000062" tag "gid": "V-81441" tag "rid": "SV-96155r1_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "To determine if the system is configured to audit calls to the + desc 'check', "To determine if the system is configured to audit calls to the \"adjtimex\" system call, run the following command: $ sudo grep -w \"adjtimex\" /etc/audit/audit.rules @@ -32,7 +32,7 @@ If the system is not configured to audit time changes, this is a finding. " - tag "fix": "On a 32-bit system, add the following to + desc 'fix', "On a 32-bit system, add the following to \"/etc/audit/audit.rules\": # audit_time_rules diff --git a/controls/V-81443.rb b/controls/V-81443.rb index 6a84ee5..e53e16a 100644 --- a/controls/V-81443.rb +++ b/controls/V-81443.rb @@ -4,7 +4,7 @@ desc "Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. " - impact 0.5 + impact 'medium' tag "gtitle": "SRG-OS-000480-GPOS-00227" tag "gid": "V-81443" tag "rid": "SV-96157r1_rule" @@ -22,13 +22,13 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify an anti-virus solution is installed on the system. The + desc 'check', "Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding. " - tag "fix": "Install an anti-virus solution on the system. " + desc 'fix', "Install an anti-virus solution on the system. " describe "Manual test" do skip "This control must be reviewed manually" diff --git a/controls/V-81445.rb b/controls/V-81445.rb index 62ffc2b..29f5628 100644 --- a/controls/V-81445.rb +++ b/controls/V-81445.rb @@ -5,7 +5,7 @@ character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000368-GPOS-00154" tag "gid": "V-81445" tag "rid": "SV-96159r1_rule" @@ -23,7 +23,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify that the \"nodev\" option is configured for /dev/shm. + desc 'check', "Verify that the \"nodev\" option is configured for /dev/shm. Check that the operating system is configured to use the \"nodev\" option for /dev/shm with the following command: @@ -41,7 +41,7 @@ If no results are returned, this is a finding. " - tag "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option for all + desc 'fix', "Configure the \"/etc/fstab\" to use the \"nodev\" option for all lines containing \"/dev/shm\"." describe file("/etc/fstab") do diff --git a/controls/V-81447.rb b/controls/V-81447.rb index be7f2fa..f05d31d 100644 --- a/controls/V-81447.rb +++ b/controls/V-81447.rb @@ -6,7 +6,7 @@ for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000368-GPOS-00154" tag "gid": "V-81447" tag "rid": "SV-96161r1_rule" @@ -24,7 +24,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify that the \"nosuid\" option is configured for /dev/shm. + desc 'check', "Verify that the \"nosuid\" option is configured for /dev/shm. Check that the operating system is configured to use the \"nosuid\" option for /dev/shm with the following command: @@ -41,7 +41,7 @@ # mount | grep \"/dev/shm\" | grep nosuid If no results are returned, this is a finding." - tag "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option for all + desc 'fix', "Configure the \"/etc/fstab\" to use the \"nosuid\" option for all lines containing \"/dev/shm\"." describe file("/etc/fstab") do diff --git a/controls/V-81449.rb b/controls/V-81449.rb index 5d8986f..46cfaac 100644 --- a/controls/V-81449.rb +++ b/controls/V-81449.rb @@ -6,7 +6,7 @@ approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." - impact 0.3 + impact 'low' tag "gtitle": "SRG-OS-000368-GPOS-00154" tag "gid": "V-81449" tag "rid": "SV-96163r1_rule" @@ -24,7 +24,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Verify that the \"noexec\" option is configured for /dev/shm. + desc 'check', "Verify that the \"noexec\" option is configured for /dev/shm. Check that the operating system is configured to use the \"noexec\" option for /dev/shm with the following command: @@ -42,7 +42,7 @@ If no results are returned, this is a finding. " - tag "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option for all + desc 'fix', "Configure the \"/etc/fstab\" to use the \"noexec\" option for all lines containing \"/dev/shm\"." describe file("/etc/fstab") do