From 3e4980f3080656a98f1a96debf54265fa71d88ca Mon Sep 17 00:00:00 2001 From: Joyce Quach Date: Fri, 8 Nov 2024 13:22:12 -0500 Subject: [PATCH] Update XCCDF mapper and expected XML->HDF test outputs to not include static analysis tags if there are already existing found NIST tags and/or mapped CCI->NIST tags Signed-off-by: Joyce Quach --- ...nscap-ComplianceAsCode-ubuntu1804-hdf.json | 1040 +++++++---------- .../xccdf-openscap-rhel7-hdf-withraw.json | 392 +++---- .../xccdf-openscap-rhel7-hdf.json | 392 +++---- .../xccdf-openscap-rhel8-hdf-withraw.json | 398 +++---- .../xccdf-openscap-rhel8-hdf.json | 398 +++---- .../xccdf-scc-rhel7-hdf-withraw.json | 390 +++---- .../xccdf-scc-rhel7-hdf.json | 390 +++---- .../xccdf-scc-rhel8-hdf-withraw.json | 398 +++---- .../xccdf-scc-rhel8-hdf.json | 398 +++---- .../src/xccdf-results-mapper.ts | 29 +- 10 files changed, 2052 insertions(+), 2173 deletions(-) diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json index 0f164bcbe9..eb442d084e 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-ComplianceAsCode-ubuntu1804-hdf.json @@ -26,8 +26,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-17 a.", "AC-17 (2)", "CM-6 a.", @@ -196,13 +194,13 @@ "CCI-002450" ], "nist": [ - "IA-7", - "SC-13 b", "SC-12 (2)", "SC-12 (3)", + "IA-7", "SC-13", "CM-6 a.", - "SC-12" + "SC-12", + "SC-13 b." ], "severity": "high", "description": "To enable processing of sensitive information the operating system must\nprovide certified cryptographic modules compliant with FIPS 140-2\nstandard.\n\nUbuntu Linux is supported by Canonical Ltd. As the Ubuntu Linux Vendor, Canonical Ltd. is\nresponsible for government certifications and standards.\n\nUsers of Ubuntu Linux either need an Ubuntu Advantage subscription or need\nto be using Ubuntu Pro from a sponsored vendor in order to have access to\nFIPS content supported by Canonical.", @@ -360,10 +358,10 @@ "CCI-001263" ], "nist": [ - "CM-6 b", + "CM-6 a.", + "CM-6 b.", "SI-2 (2)", - "SI-4 (5)", - "CM-6 a." + "SI-4 (5)" ], "severity": "medium", "description": "Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely\nnecessary. If SELinux is enabled, do not install or enable this module.", @@ -1719,10 +1717,10 @@ "CCI-001208" ], "nist": [ - "CM-6 b", - "SC-32", "CM-6 a.", - "SC-5 (2)" + "SC-5 (2)", + "CM-6 b.", + "SC-32" ], "severity": "low", "description": "If user home directories will be stored locally, create a separate partition\nfor /home at installation time (or migrate it later using LVM). If\n/home will be mounted from another system such as an NFS server, then\ncreating a separate partition is not necessary at installation time, and the\nmountpoint can instead be configured later.", @@ -2075,9 +2073,9 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 a.", - "SC-5 (2)" + "SC-5 (2)", + "CM-6 b." ], "severity": "low", "description": "The /tmp directory is a world-writable directory used\nfor temporary file storage. Ensure it has its own partition or\nlogical volume at installation time, or migrate it using LVM.", @@ -2358,9 +2356,9 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 a.", - "SC-5 (2)" + "SC-5 (2)", + "CM-6 b." ], "severity": "low", "description": "The /var directory is used by daemons and other system\nservices to store frequently-changing data. Ensure that /var has its own partition\nor logical volume at installation time, or migrate it using LVM.", @@ -2648,10 +2646,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 a.", "AU-4", - "SC-5 (2)" + "SC-5 (2)", + "CM-6 b." ], "severity": "low", "description": "System logs are stored in the /var/log directory.\n\nEnsure that /var/log has its own partition or logical\nvolume at installation time, or migrate it using LVM.", @@ -3181,10 +3179,10 @@ "CCI-001849" ], "nist": [ - "CM-6 b", - "AU-4", "CM-6 a.", - "SC-5 (2)" + "AU-4", + "SC-5 (2)", + "CM-6 b." ], "severity": "low", "description": "Audit logs are stored in the /var/log/audit directory.\n\nEnsure that /var/log/audit has its own partition or logical\nvolume at installation time, or migrate it using LVM.\nMake absolutely certain that it is large enough to store all\naudit logs that will be created by the auditing daemon.", @@ -5967,11 +5965,11 @@ "CCI-001227" ], "nist": [ - "CM-6 b", - "SI-2 a", "SI-2 (5)", "SI-2 c.", - "CM-6 a." + "CM-6 a.", + "CM-6 b.", + "SI-2 a." ], "severity": "medium", "description": "\nIf the system has an apt repository available, run the following command to install updates:\n$ apt update && apt full-upgrade\n\n\nNOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy\ndictates.", @@ -6367,7 +6365,6 @@ "CCI-000044" ], "nist": [ - "AC-7 a", "AC-7 a." ], "severity": "medium", @@ -6451,7 +6448,6 @@ "CCI-000044" ], "nist": [ - "AC-7 a", "AC-7 a." ], "severity": "medium", @@ -6531,7 +6527,6 @@ "CCI-000044" ], "nist": [ - "AC-7 a", "AC-7 a." ], "severity": "medium", @@ -7241,7 +7236,6 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)", "IA-5 f.", "IA-5 (1) d.", "CM-6 a." @@ -7811,7 +7805,6 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)", "IA-5 f.", "IA-5 (1) d.", "CM-6 a." @@ -8373,7 +8366,6 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)", "IA-5 f.", "IA-5 (1) a.", "CM-6 a." @@ -9018,8 +9010,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "IA-5 f.", "IA-5 (1) d.", "CM-6 a." @@ -9707,8 +9697,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "IA-5 h.", "CM-6 a." ], @@ -10764,10 +10752,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "IA-5 (1) a.", "IA-5 c.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "high", "description": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of the\nnullok in\n\n/etc/pam.d/system-auth and\n/etc/pam.d/password-auth\n\nto prevent logins with empty passwords.", @@ -11626,7 +11614,6 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 b.", "CM-6 (1) iv." ], @@ -11719,7 +11706,6 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)", "IA-5 h.", "IA-5 (1) c.", "CM-6 a.", @@ -12570,10 +12556,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "IA-2", "AC-6 (5)", - "IA-4 b." + "IA-4 b.", + "CM-6 b." ], "severity": "high", "description": "If any account other than root has a UID of 0, this misconfiguration should\nbe investigated and the accounts other than root should be removed or have\ntheir UID changed.\n\nIf the account is associated with system commands or applications the UID\nshould be changed to one greater than \"0\" but less than \"1000.\"\nOtherwise assign a UID greater than \"1000\" that has not already been\nassigned.", @@ -13470,8 +13456,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "IA-2", "CM-6 a." ], @@ -14130,8 +14114,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-6", "CM-6 a." ], @@ -14280,9 +14262,9 @@ "CCI-000770" ], "nist": [ - "IA-2 (5)", "AC-6", - "CM-6 a." + "CM-6 a.", + "IA-2 (5)" ], "severity": "medium", "description": "To restrict root logins on serial ports,\nensure lines of this form do not appear in /etc/securetty:\nttyS0\nttyS1", @@ -14861,9 +14843,9 @@ "CCI-000770" ], "nist": [ - "IA-2 (5)", "AC-6", - "CM-6 a." + "CM-6 a.", + "IA-2 (5)" ], "severity": "medium", "description": "To restrict root logins through the (deprecated) virtual console devices,\nensure lines of this form do not appear in /etc/securetty:\nvc/1\nvc/2\nvc/3\nvc/4", @@ -15458,8 +15440,8 @@ "CCI-000366" ], "nist": [ - "CM-6 b", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "For each element in root's path, run:\n# ls -ld DIR\nand ensure that write permissions are disabled for group and\nother.", @@ -15674,8 +15656,8 @@ "CCI-000366" ], "nist": [ - "CM-6 b", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "unknown", "description": "Ensure that none of the directories in root's path is equal to a single\n. character, or\nthat it contains any instances that lead to relative path traversal, such as\n.. or beginning a path without the slash (/) character.\nAlso ensure that there are no \"empty\" elements in the path, such as in these examples:\nPATH=:/bin\nPATH=/bin:\nPATH=/bin::/sbin\nThese empty elements have the same effect as a single . character.", @@ -15894,9 +15876,9 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-6 (1)", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "To ensure the default umask controlled by /etc/login.defs is set properly,\nadd or correct the UMASK setting in /etc/login.defs to read as follows:\nUMASK ", @@ -16318,9 +16300,9 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-6 (1)", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "To ensure the default umask controlled by /etc/profile is set properly,\nadd or correct the umask setting in /etc/profile to read as follows:\numask ", @@ -16618,9 +16600,9 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "To ensure the logon failure delay controlled by /etc/login.defs is set properly,\nadd or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:\nFAIL_DELAY ", @@ -17288,9 +17270,9 @@ "CCI-000225" ], "nist": [ - "AC-6", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6" ], "severity": "medium", "description": "For each human user of the system, view the\npermissions of the user's home directory:\n# ls -ld /home/USER\nEnsure that the directory is not group-writable and that it\nis not world-readable. If necessary, repair the permissions:\n# chmod g-w /home/USER\n# chmod o-rwx /home/USER", @@ -17774,15 +17756,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured to\nuse the augenrules program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix .rules in\nthe directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -18908,15 +18889,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured to\nuse the augenrules program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix .rules in\nthe directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -20050,15 +20030,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured to\nuse the augenrules program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix .rules in\nthe directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -21184,15 +21163,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured to\nuse the augenrules program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix .rules in\nthe directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -22318,15 +22296,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -23460,15 +23437,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -24601,14 +24577,13 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root.\n\nIf the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -25750,15 +25725,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -26908,15 +26882,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -28049,14 +28022,13 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root.\n\nIf the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -29198,15 +29170,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -30355,14 +30326,13 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root.\n\nIf the auditd daemon is configured to use the augenrules\nprogram to read audit rules during daemon startup (the default), add the\nfollowing line to a file with suffix .rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod\n\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -31504,15 +31474,14 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file permission\nchanges for all users and root. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -32636,10 +32605,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a.", + "AU-12 a.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file system umount\nchanges. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -32773,10 +32742,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)" + "AU-3 a.", + "AU-12 a.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file system umount2\nchanges. If the auditd daemon is configured\nto use the augenrules program to read audit rules during daemon\nstartup (the default), add the following line to a file with suffix\n.rules in the directory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -F key=perm_mod", @@ -32912,15 +32881,14 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "CM-6 b", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "CM-6 b.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete", @@ -34082,15 +34050,14 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "CM-6 b", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "CM-6 b.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete", @@ -35252,15 +35219,14 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "CM-6 b", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "CM-6 b.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete", @@ -36422,15 +36388,14 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "CM-6 b", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "CM-6 b.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete", @@ -37592,15 +37557,14 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "CM-6 b", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "CM-6 b.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect file deletion events\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete", @@ -38757,7 +38721,6 @@ "CCI-000172" ], "nist": [ - "AU-12 c", "AU-12 c." ], "severity": "medium", @@ -38837,7 +38800,6 @@ "CCI-000172" ], "nist": [ - "AU-12 c", "AU-12 c." ], "severity": "medium", @@ -38917,7 +38879,6 @@ "CCI-000172" ], "nist": [ - "AU-12 c", "AU-12 c." ], "severity": "medium", @@ -38997,7 +38958,6 @@ "CCI-000172" ], "nist": [ - "AU-12 c", "AU-12 c." ], "severity": "medium", @@ -39077,10 +39037,10 @@ "CCI-002234" ], "nist": [ - "AC-6 (9)", "AC-2 (4)", "AU-2 d.", "AU-12 c.", + "AC-6 (9)", "CM-6 a." ], "severity": "medium", @@ -40246,12 +40206,12 @@ "CCI-000169" ], "nist": [ - "AU-3 f", - "AU-12 a", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 f.", + "AU-12 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", @@ -41257,12 +41217,12 @@ "CCI-000169" ], "nist": [ - "AU-3 f", - "AU-12 a", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 f.", + "AU-12 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change\nThe -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if\ndesired, but is not required. See an example of multiple combined syscalls:\n-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", @@ -42262,12 +42222,12 @@ "CCI-000169" ], "nist": [ - "AU-3 f", - "AU-12 a", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 f.", + "AU-12 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d:\n-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules\nIf the system is 64 bit then also add the following line:\n-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules\nThe -k option allows for the specification of a key in string form that can be\nused for better reporting capability through ausearch and aureport. Multiple\nsystem calls can be defined on the same line to save space if desired, but is\nnot required. See an example of multiple combined syscalls:\n-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", @@ -43267,12 +43227,12 @@ "CCI-000169" ], "nist": [ - "AU-3 f", - "AU-12 a", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 f.", + "AU-12 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d for both 32 bit and 64 bit systems:\n-a always,exit -F arch=b32 -S stime -F key=audit_time_rules\nSince the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). If the\nauditd daemon is configured to use the auditctl utility to\nread audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file for both 32 bit and 64 bit systems:\n-a always,exit -F arch=b32 -S stime -F key=audit_time_rules\nSince the 64 bit version of the \"stime\" system call is not defined in the audit\nlookup table, the corresponding \"-F arch=b64\" form of this rule is not expected\nto be defined on 64 bit systems (the aforementioned \"-F arch=b32\" stime rule\nform itself is sufficient for both 32 bit and 64 bit systems). The -k option\nallows for the specification of a key in string form that can be used for\nbetter reporting capability through ausearch and aureport. Multiple system\ncalls can be defined on the same line to save space if desired, but is not\nrequired. See an example of multiple combined system calls:\n-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules", @@ -44272,12 +44232,12 @@ "CCI-000169" ], "nist": [ - "AU-3 f", - "AU-12 a", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 f.", + "AU-12 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the default),\nadd the following line to a file with suffix .rules in the directory\n/etc/audit/rules.d:\n-w /etc/localtime -p wa -k audit_time_rules\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-w /etc/localtime -p wa -k audit_time_rules\nThe -k option allows for the specification of a key in string form that can\nbe used for better reporting capability through ausearch and aureport and\nshould always be used.", @@ -45278,9 +45238,9 @@ "CCI-000164" ], "nist": [ - "AU-9 a", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-9 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following line to a file with suffix .rules in the\ndirectory /etc/audit/rules.d in order to make the auditd configuration\nimmutable:\n-e 2\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file in order to make the auditd configuration\nimmutable:\n-e 2\nWith this setting, a reboot will be required to change any audit rules.", @@ -46285,8 +46245,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AU-2 d.", "AU-12 c.", "CM-6 a." @@ -47286,15 +47244,14 @@ "CCI-002884" ], "nist": [ - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect media exportation\nevents for all users and root. If the auditd daemon is configured to\nuse the augenrules program to read audit rules during daemon startup\n(the default), add the following line to a file with suffix .rules in\nthe directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as\nappropriate for your system:\n-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export", @@ -48363,8 +48320,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AU-2 d.", "AU-12 c.", "AC-6 (9)", @@ -49359,8 +49314,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AU-2 d.", "AU-12 c.", "CM-6 a." @@ -50407,17 +50360,16 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 (1)", - "AU-12 a", - "AU-12 c", - "MA-4 (1) (a)", "AC-2 (7) b.", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-2 c.", + "AU-3 a.", + "AU-3 (1)", + "AU-12 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "At a minimum, the audit system should collect administrator actions\nfor all users and root. If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the default),\nadd the following line to a file with suffix .rules in the directory\n/etc/audit/rules.d:\n-w /etc/sudoers -p wa -k actions\n-w /etc/sudoers.d/ -p wa -k actions\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following line to\n/etc/audit/audit.rules file:\n-w /etc/sudoers -p wa -k actions\n-w /etc/sudoers.d/ -p wa -k actions", @@ -51905,12 +51857,11 @@ ], "nist": [ "AC-2 (4)", - "AU-3 a", - "AU-12 c", "AU-2 d.", "AU-12 c.", "AC-6 (9)", - "CM-6 a." + "CM-6 a.", + "AU-3 a." ], "severity": "medium", "description": "If the auditd daemon is configured to use the\naugenrules program to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffix .rules in the\ndirectory /etc/audit/rules.d, in order to capture events that modify\naccount changes:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following lines to\n/etc/audit/audit.rules file, in order to capture events that modify\naccount changes:\n-w /etc/group -p wa -k audit_rules_usergroup_modification\n-w /etc/passwd -p wa -k audit_rules_usergroup_modification\n-w /etc/gshadow -p wa -k audit_rules_usergroup_modification\n-w /etc/shadow -p wa -k audit_rules_usergroup_modification\n-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification", @@ -53311,8 +53262,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AU-2 d.", "AU-12 c.", "AC-6 (9)", @@ -53417,10 +53366,10 @@ "CCI-000164" ], "nist": [ - "AU-9 a", "CM-6 a.", "AC-6 (1)", - "AU-9" + "AU-9", + "AU-9 a." ], "severity": "medium", "description": "\nIf log_group in /etc/audit/auditd.conf is set to a group other than the root\ngroup account, change the mode of the audit log files with the following command:\n$ sudo chmod 0750 /var/log/audit\n\nOtherwise, change the mode of the audit log files with the following command:\n$ sudo chmod 0700 /var/log/audit", @@ -54327,7 +54276,7 @@ "CCI-000171" ], "nist": [ - "AU-12 b" + "AU-12 b." ], "severity": "medium", "description": "All audit configuration files must be owned by group root.\nchown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*", @@ -54398,7 +54347,7 @@ "CCI-000171" ], "nist": [ - "AU-12 b" + "AU-12 b." ], "severity": "medium", "description": "All audit configuration files must be owned by root user.\n\nTo properly set the owner of /etc/audit/, run the command:\n$ sudo chown root /etc/audit/ \n\nTo properly set the owner of /etc/audit/rules.d/, run the command:\n$ sudo chown root /etc/audit/rules.d/ ", @@ -54472,11 +54421,11 @@ "CCI-001314" ], "nist": [ - "AU-9 a", - "SI-11 b", "CM-6 a.", "AC-6 (1)", - "AU-9 (4)" + "AU-9 (4)", + "AU-9 a.", + "SI-11 b." ], "severity": "medium", "description": "All audit logs must be owned by root user and group. By default, the path for audit log is /var/log/audit/.\n\nTo properly set the owner of /var/log/audit, run the command:\n$ sudo chown root /var/log/audit \n\nTo properly set the owner of /var/log/audit/*, run the command:\n$ sudo chown root /var/log/audit/* ", @@ -55391,9 +55340,9 @@ "CCI-000136" ], "nist": [ - "AU-3 (2)", "AU-4 (1)", - "CM-6 a." + "CM-6 a.", + "AU-3 (2)" ], "severity": "medium", "description": "To configure the auditd service to use the\nsyslog plug-in of the audispd audit event multiplexor, set\nthe active line in /etc/audit/plugins.d/syslog.conf to yes.\nRestart the auditd service:\n$ sudo service auditd restart", @@ -56059,7 +56008,6 @@ "CCI-000140" ], "nist": [ - "AU-5 b", "AU-5 b.", "AU-5 (2)", "AU-5 (1)", @@ -56714,7 +56662,6 @@ "CCI-000140" ], "nist": [ - "AU-5 b", "AU-5 b.", "AU-5 (2)", "AU-5 (1)", @@ -57326,7 +57273,6 @@ "CCI-000140" ], "nist": [ - "AU-5 b", "AU-5 b.", "AU-5 (2)", "AU-5 (1)", @@ -57989,7 +57935,6 @@ "CCI-000140" ], "nist": [ - "AU-5 b", "AU-5 b.", "AU-5 (2)", "AU-5 (1)", @@ -58606,12 +58551,11 @@ "CCI-001855" ], "nist": [ - "AU-5 a", - "AU-5 (1)", "IA-5 (1)", "AU-5 a.", "AU-5 (2)", - "CM-6 a." + "CM-6 a.", + "AU-5 (1)" ], "severity": "medium", "description": "The auditd service can be configured to send email to\na designated account in certain situations. Add or correct the following line\nin /etc/audit/auditd.conf to ensure that administrators are notified\nvia email for those situations:\naction_mail_acct = ", @@ -59423,11 +59367,10 @@ "CCI-001855" ], "nist": [ - "AU-5 b", - "AU-5 (4)", - "AU-5 (1)", "AU-5 b.", "AU-5 (2)", + "AU-5 (1)", + "AU-5 (4)", "CM-6 a." ], "severity": "medium", @@ -60134,8 +60077,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AU-11", "CM-6 a." ], @@ -60753,7 +60694,6 @@ "CCI-000140" ], "nist": [ - "AU-5 b", "AU-5 b.", "AU-5 (2)", "AU-5 (1)", @@ -61430,7 +61370,6 @@ "CCI-000140" ], "nist": [ - "AU-5 b", "AU-5 b.", "AU-5 (2)", "AU-5 (1)", @@ -62056,8 +61995,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AU-11", "CM-6 a." ], @@ -62697,9 +62634,9 @@ "CCI-001855" ], "nist": [ - "AU-5 (1)", "AU-5 b.", "AU-5 (2)", + "AU-5 (1)", "AU-5 (4)", "CM-6 a." ], @@ -63398,8 +63335,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6" ], "severity": "medium", @@ -63479,8 +63414,8 @@ "CCI-000366" ], "nist": [ - "CM-6 b", - "CM-6" + "CM-6", + "CM-6 b." ], "severity": "medium", "description": "To configure Audit daemon to include local events in Audit logs, set\nlocal_events to yes in /etc/audit/auditd.conf.\nThis is the default setting.", @@ -63575,9 +63510,9 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6", - "AU-3" + "AU-3", + "CM-6 b." ], "severity": "low", "description": "To configure Audit daemon to resolve all uid, gid, syscall,\narchitecture, and socket address information before writing the\nevents to disk, set log_format to ENRICHED\nin /etc/audit/auditd.conf.", @@ -63680,9 +63615,9 @@ "CCI-001851" ], "nist": [ - "AU-4 (1)", "CM-6", - "AU-3" + "AU-3", + "AU-4 (1)" ], "severity": "medium", "description": "To configure Audit daemon to use value returned by gethostname\nsyscall as computer node name in the audit events,\nset name_format to hostname\nin /etc/audit/auditd.conf.", @@ -63878,8 +63813,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6" ], "severity": "medium", @@ -64061,30 +63994,30 @@ "CCI-000169" ], "nist": [ - "AU-3 a", - "AU-3 b", - "AU-3 c", - "AU-3 d", - "AU-3 e", - "AU-3 (1)", - "AU-6 (4)", - "AU-7 (1)", - "AU-12 c", - "AU-14 (1)", - "AU-3 f", - "CM-5 (1)", - "AU-7 a", - "AU-7 b", - "AU-8 b", - "AU-12 (3)", - "MA-4 (1) (a)", - "AU-12 a", "AC-7 a.", + "AU-7 (1)", "AU-7 (2)", "AU-14", "AU-12 (2)", "AU-2 a.", - "CM-6 a." + "CM-6 a.", + "AU-3 a.", + "AU-3 b.", + "AU-3 c.", + "AU-3 d.", + "AU-3 e.", + "AU-3 (1)", + "AU-6 (4)", + "AU-12 c.", + "AU-14 (1)", + "AU-3 f.", + "CM-5 (1)", + "AU-7 a.", + "AU-7 b.", + "AU-8 b.", + "AU-12 (3)", + "MA-4 (1) a.", + "AU-12 a." ], "severity": "medium", "description": "The audit package should be installed.", @@ -64660,34 +64593,33 @@ "CCI-000169" ], "nist": [ - "AU-2 c", - "AU-3 a", - "AU-3 b", - "AU-3 c", - "AU-3 d", - "AU-3 e", - "AU-3 (1)", - "AU-6 (4)", - "AU-7 (1)", - "AU-12 c", - "CM-6 b", - "AU-14 (1)", - "AU-3 f", - "CM-5 (1)", - "AU-7 a", - "MA-4 (1) (a)", - "AU-7 b", - "AU-8 b", - "AU-12 (3)", - "AU-12 a", "AC-2 g.", "AU-3", "AU-10", "AU-2 d.", "AU-12 c.", + "AU-14 (1)", "AC-6 (9)", "CM-6 a.", - "SI-4 (23)" + "SI-4 (23)", + "AU-2 c.", + "AU-3 a.", + "AU-3 b.", + "AU-3 c.", + "AU-3 d.", + "AU-3 e.", + "AU-3 (1)", + "AU-6 (4)", + "AU-7 (1)", + "CM-6 b.", + "AU-3 f.", + "CM-5 (1)", + "AU-7 a.", + "MA-4 (1) a.", + "AU-7 b.", + "AU-8 b.", + "AU-12 (3)", + "AU-12 a." ], "severity": "medium", "description": "The auditd service is an essential userspace component of\nthe Linux Auditing System, as it is responsible for writing audit records to\ndisk.\n\nThe auditd service can be enabled with the following command:\n$ sudo systemctl enable auditd.service", @@ -69657,9 +69589,9 @@ "CCI-001314" ], "nist": [ - "SI-11 b", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "SI-11 b." ], "severity": "medium", "description": "The group-owner of all log files written by\nrsyslog should be .\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log.\nFor each log file LOGFILE referenced in /etc/rsyslog.conf,\nrun the following command to inspect the file's group owner:\n$ ls -l LOGFILE\nIf the owner is not , run the following command to\ncorrect this:\n$ sudo chgrp LOGFILE", @@ -70197,9 +70129,9 @@ "CCI-001314" ], "nist": [ - "SI-11 b", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "SI-11 b." ], "severity": "medium", "description": "The owner of all log files written by\nrsyslog should be .\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log.\nFor each log file LOGFILE referenced in /etc/rsyslog.conf,\nrun the following command to inspect the file's owner:\n$ ls -l LOGFILE\nIf the owner is not , run the following command to\ncorrect this:\n$ sudo chown LOGFILE", @@ -70737,9 +70669,9 @@ "CCI-001314" ], "nist": [ - "SI-11 b", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "SI-11 b." ], "severity": "medium", "description": "The file permissions for all log files written by rsyslog should\nbe set to 600, or more restrictive. These log files are determined by the\nsecond part of each Rule line in /etc/rsyslog.conf and typically\nall appear in /var/log. For each log file LOGFILE\nreferenced in /etc/rsyslog.conf, run the following command to\ninspect the file's permissions:\n$ ls -l LOGFILE\nIf the permissions are not 600 or more restrictive, run the following\ncommand to correct this:\n$ sudo chmod 0600 LOGFILE\"", @@ -71028,8 +70960,8 @@ "CCI-000366" ], "nist": [ - "CM-6 b", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "The logrotate utility allows for the automatic rotation of\nlog files. The frequency of rotation is specified in /etc/logrotate.conf,\nwhich triggers a cron task. To configure logrotate to run daily, add or correct\nthe following line in /etc/logrotate.conf:\n# rotate log files frequency\ndaily", @@ -71378,8 +71310,8 @@ "CCI-001312" ], "nist": [ - "SI-11 a", - "CM-6 a." + "CM-6 a.", + "SI-11 a." ], "severity": "medium", "description": "syslog-ng can be installed in replacement of rsyslog.\nThe syslog-ng-core package can be installed with the following command:\n\n$ apt-get install syslog-ng-core", @@ -71709,10 +71641,10 @@ "CCI-001851" ], "nist": [ - "SI-11 a", - "AC-4 (17) c", + "CM-6 a.", "AU-4 (1)", - "CM-6 a." + "SI-11 a.", + "AC-4 (17) c." ], "severity": "medium", "description": "The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian.\n\nThe syslog-ng service can be enabled with the following command:\n$ sudo systemctl enable syslog-ng.service", @@ -72349,8 +72281,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AU-6 (3)", "AU-6 (4)" @@ -72710,8 +72640,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AU-6 (3)", "AU-6 (4)" @@ -73076,11 +73004,11 @@ "CCI-001851" ], "nist": [ - "CM-6 b", - "AU-9 (2)", - "AU-3 (2)", + "CM-6 a.", "AU-4 (1)", - "CM-6 a." + "AU-9 (2)", + "CM-6 b.", + "AU-3 (2)" ], "severity": "medium", "description": "To configure rsyslog to send logs to a remote log server,\nopen /etc/rsyslog.conf and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstituting appropriately.\nThe choice of protocol depends on the environment of the system;\nalthough TCP and RELP provide more reliable message delivery,\nthey may not be supported in all environments.\n\nTo use UDP for log message delivery:\n*.* @\n\nTo use TCP for log message delivery:\n*.* @@\n\nTo use RELP for log message delivery:\n*.* :omrelp:\n\nThere must be a resolvable DNS CNAME or Alias record set to \"\" for logs to be sent correctly to the centralized logging utility.", @@ -73670,9 +73598,9 @@ "CCI-000366" ], "nist": [ - "SI-11 a", - "CM-6 b", - "CM-6 a." + "CM-6 a.", + "SI-11 a.", + "CM-6 b." ], "severity": "medium", "description": "Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ apt-get install rsyslog", @@ -74057,11 +73985,11 @@ "CCI-000366" ], "nist": [ - "SI-11 a", - "AC-4 (17) c", + "CM-6 a.", "AU-4 (1)", - "CM-6 b", - "CM-6 a." + "SI-11 a.", + "AC-4 (17) c.", + "CM-6 b." ], "severity": "medium", "description": "The rsyslog service provides syslog-style logging by default on Ubuntu 18.04.\n\nThe rsyslog service can be enabled with the following command:\n$ sudo systemctl enable rsyslog.service", @@ -74728,8 +74656,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-4", "CM-7 b.", "CA-3 (5)", @@ -75827,8 +75753,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-4", "CM-7 b.", "CA-3 (5)", @@ -76926,8 +76850,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-4", "CM-7 b.", "CA-3 (5)", @@ -77721,8 +77643,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CA-3 (5)", "CM-7 b.", "SC-7 (23)", @@ -78331,8 +78251,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CA-3 (5)", "CM-7 b.", "SC-7 (23)", @@ -78941,8 +78859,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -79536,10 +79452,10 @@ "CCI-001551" ], "nist": [ - "AC-4", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "AC-4" ], "severity": "medium", "description": "To disable support for (ipv6) addressing on all interface add the following line to\n/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):\nnet.ipv6.conf.all.disable_ipv6 = 1\nThis disables IPv6 on all network interfaces as other services and system\nfunctionality require the IPv6 stack loaded to work.", @@ -80146,10 +80062,10 @@ "CCI-001551" ], "nist": [ - "AC-4", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "AC-4" ], "severity": "medium", "description": "To disable support for (ipv6) addressing on interfaces by default add the following line to\n/etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d):\nnet.ipv6.conf.default.disable_ipv6 = 1\nThis disables IPv6 on network interfaces by default as other services and system\nfunctionality require the IPv6 stack loaded to work.", @@ -81233,8 +81149,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -81834,7 +81748,6 @@ "CCI-000381" ], "nist": [ - "CM-7 a", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -82462,8 +82375,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group-", @@ -82555,8 +82468,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp shadow /etc/gshadow-", @@ -82648,8 +82561,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the group owner of /etc/passwd-, run the command: $ sudo chgrp root /etc/passwd-", @@ -82816,8 +82729,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AC-6 (1)" ], @@ -83342,8 +83253,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AC-6 (1)" ], @@ -83852,8 +83761,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AC-6 (1)" ], @@ -84378,8 +84285,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AC-6 (1)" ], @@ -84906,8 +84811,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/group-, run the command: $ sudo chown root /etc/group- ", @@ -84999,8 +84904,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/gshadow-, run the command: $ sudo chown root /etc/gshadow- ", @@ -85092,8 +84997,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/passwd-, run the command: $ sudo chown root /etc/passwd- ", @@ -85185,8 +85090,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/shadow-, run the command: $ sudo chown root /etc/shadow- ", @@ -85278,9 +85183,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group ", @@ -85813,9 +85718,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow ", @@ -86340,9 +86245,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd ", @@ -86875,9 +86780,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": " To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow ", @@ -87418,8 +87323,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/group-, run the command:\n$ sudo chmod 0644 /etc/group-", @@ -87511,8 +87416,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/gshadow-, run the command:\n$ sudo chmod 0640 /etc/gshadow-", @@ -87604,8 +87509,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/passwd-, run the command:\n$ sudo chmod 0644 /etc/passwd-", @@ -87697,8 +87602,8 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/shadow-, run the command:\n$ sudo chmod 0640 /etc/shadow-", @@ -87790,9 +87695,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/passwd, run the command:\n$ sudo chmod 0644 /etc/passwd", @@ -88333,9 +88238,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/gshadow, run the command:\n$ sudo chmod 0640 /etc/gshadow", @@ -88860,9 +88765,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/passwd, run the command:\n$ sudo chmod 0644 /etc/passwd", @@ -89403,9 +89308,9 @@ "CCI-002223" ], "nist": [ - "AC-6 (1) (b)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-6 (1) b." ], "severity": "medium", "description": "\nTo properly set the permissions of /etc/shadow, run the command:\n$ sudo chmod 0640 /etc/shadow", @@ -89946,7 +89851,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": " To properly set the group owner of /var/log, run the command: $ sudo chgrp syslog /var/log", @@ -90017,7 +89922,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": " To properly set the group owner of /var/log/messages, run the command: $ sudo chgrp root /var/log/messages", @@ -90088,7 +89993,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": " To properly set the group owner of /var/log/syslog, run the command: $ sudo chgrp adm /var/log/syslog", @@ -90159,7 +90064,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": " To properly set the owner of /var/log, run the command: $ sudo chown root /var/log ", @@ -90230,7 +90135,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": " To properly set the owner of /var/log/messages, run the command: $ sudo chown root /var/log/messages ", @@ -90301,7 +90206,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": " To properly set the owner of /var/log/syslog, run the command: $ sudo chown syslog /var/log/syslog ", @@ -90372,7 +90277,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "\nTo properly set the permissions of /var/log, run the command:\n$ sudo chmod 0755 /var/log", @@ -90443,7 +90348,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "\nTo properly set the permissions of /var/log/messages, run the command:\n$ sudo chmod 0640 /var/log/messages", @@ -90514,7 +90419,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "\nTo properly set the permissions of /var/log/syslog, run the command:\n$ sudo chmod 0640 /var/log/syslog", @@ -90585,7 +90490,7 @@ "CCI-001495" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\nAll these directories should be owned by the root user.\nIf any directory DIR in these directories is found\nto be owned by a user other than root, correct its ownership with the\nfollowing command:\n$ sudo chown root DIR", @@ -90744,7 +90649,7 @@ "CCI-001495" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "System executables are stored in the following directories by default:\n/bin\n/sbin\n/usr/bin\n/usr/sbin\n/usr/local/bin\n/usr/local/sbin\nThese directories should not be group-writable or world-writable.\nIf any directory DIR in these directories is found to be\ngroup-writable or world-writable, correct its permission with the\nfollowing command:\n$ sudo chmod go-w DIR", @@ -90815,8 +90720,8 @@ "CCI-001499" ], "nist": [ - "CM-5 (6)", "CM-5", + "CM-5 (6)", "CM-5 (6) (1)" ], "severity": "medium", @@ -92418,8 +92323,8 @@ "CCI-001499" ], "nist": [ - "CM-5 (6)", "CM-6 a.", + "CM-5 (6)", "CM-5 (6) (1)", "AC-6 (1)" ], @@ -92916,9 +92821,9 @@ "CCI-001090" ], "nist": [ - "SC-4", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "SC-4" ], "severity": "medium", "description": "When the so-called 'sticky bit' is set on a directory,\nonly the owner of a given file may remove that file from the\ndirectory. Without the sticky bit, any user with write access to a\ndirectory may remove any file in the directory. Setting the sticky\nbit prevents users from removing each other's files. In cases where\nthere is no reason for a directory to be world-writable, a better\nsolution is to remove that permission rather than to set the sticky\nbit. However, if a directory is used by a particular application,\nconsult that application's documentation instead of blindly\nchanging modes.\n\nTo set the sticky bit on a world-writable directory DIR, run the\nfollowing command:\n$ sudo chmod +t DIR", @@ -93513,8 +93418,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AC-6 (1)" ], @@ -94004,9 +93907,9 @@ "CCI-002165" ], "nist": [ - "AC-3 (4)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-3 (4)" ], "severity": "medium", "description": "To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1\nTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1", @@ -94210,9 +94113,9 @@ "CCI-002165" ], "nist": [ - "AC-3 (4)", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "AC-3 (4)" ], "severity": "medium", "description": "To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1\nTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1", @@ -94418,12 +94321,12 @@ "CCI-001958" ], "nist": [ - "CM-6 b", - "IA-3", "CM-7 a.", "CM-7 b.", "CM-6 a.", - "MP-7" + "MP-7", + "CM-6 b.", + "IA-3" ], "severity": "medium", "description": "The autofs daemon mounts and unmounts filesystems, such as user\nhome directories shared via NFS, on demand. In addition, autofs can be used to handle\nremovable media, and the default configuration provides the cdrom device as /misc/cd.\nHowever, this method of providing access to removable media is not common, so autofs\ncan almost always be disabled if NFS is not in use. Even if NFS is required, it may be\npossible to configure filesystem mounts statically by editing /etc/fstab\nrather than relying on the automounter.\n\n\nThe autofs service can be disabled with the following command:\n$ sudo systemctl mask --now autofs.service", @@ -95102,7 +95005,6 @@ "CCI-000381" ], "nist": [ - "CM-7 a", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -95732,8 +95634,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -96343,8 +96243,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -96954,8 +96852,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -97565,8 +97461,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -98176,8 +98070,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -98797,13 +98689,13 @@ "CCI-001764" ], "nist": [ - "CM-7 (2)", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-7 (2)" ], "severity": "medium", "description": "The nodev mount option can be used to prevent creation of device\nfiles in /dev/shm. Legitimate character and block devices should\nnot exist within temporary directories like /dev/shm.\nAdd the nodev option to the fourth column of\n/etc/fstab for the line which controls mounting of\n/dev/shm.", @@ -99602,13 +99494,13 @@ "CCI-001764" ], "nist": [ - "CM-7 (2)", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-7 (2)" ], "severity": "medium", "description": "The noexec mount option can be used to prevent binaries\nfrom being executed out of /dev/shm.\nIt can be dangerous to allow the execution of binaries\nfrom world-writable temporary storage directories such as /dev/shm.\nAdd the noexec option to the fourth column of\n/etc/fstab for the line which controls mounting of\n/dev/shm.", @@ -100407,13 +100299,13 @@ "CCI-001764" ], "nist": [ - "CM-7 (2)", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-7 (2)" ], "severity": "medium", "description": "The nosuid mount option can be used to prevent execution\nof setuid programs in /dev/shm. The SUID and SGID permissions should not\nbe required in these world-writable directories.\nAdd the nosuid option to the fourth column of\n/etc/fstab for the line which controls mounting of\n/dev/shm.", @@ -101296,13 +101188,13 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-6 b." ], "severity": "medium", "description": "The nodev mount option prevents files from being\ninterpreted as character or block devices.\nLegitimate character and block devices should exist only in\nthe /dev directory on the root partition or within chroot\njails built for system services.\nAdd the nodev option to the fourth column of\n/etc/fstab for the line which controls mounting of\n\n any removable media partitions.", @@ -102250,14 +102142,14 @@ "CCI-000366" ], "nist": [ - "AC-19 e", - "CM-6 b", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "AC-19 e.", + "CM-6 b." ], "severity": "medium", "description": "The noexec mount option prevents the direct execution of binaries\non the mounted filesystem. Preventing the direct execution of binaries from\nremovable media (such as a USB key) provides a defense against malicious\nsoftware that may be present on such untrusted media.\nAdd the noexec option to the fourth column of\n/etc/fstab for the line which controls mounting of\n\n any removable media partitions.", @@ -103212,13 +103104,13 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-6 b." ], "severity": "medium", "description": "The nosuid mount option prevents set-user-identifier (SUID)\nand set-group-identifier (SGID) permissions from taking effect. These permissions\nallow users to execute binaries with the same permissions as the owner and group\nof the file respectively. Users should not be allowed to introduce SUID and SGID\nfiles into the system via partitions mounted from removeable media.\nAdd the nosuid option to the fourth column of\n/etc/fstab for the line which controls mounting of\n\n any removable media partitions.", @@ -104365,13 +104257,13 @@ "CCI-001764" ], "nist": [ - "CM-7 (2)", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-7 (2)" ], "severity": "medium", "description": "The nodev mount option can be used to prevent device files from\nbeing created in /tmp. Legitimate character and block devices\nshould not exist within temporary directories like /tmp.\nAdd the nodev option to the fourth column of\n/etc/fstab for the line which controls mounting of\n/tmp.", @@ -105184,13 +105076,13 @@ "CCI-001764" ], "nist": [ - "CM-7 (2)", "CM-7 a.", "CM-7 b.", "CM-6 a.", "AC-6", "AC-6 (1)", - "MP-7" + "MP-7", + "CM-7 (2)" ], "severity": "medium", "description": "The nosuid mount option can be used to prevent\nexecution of setuid programs in /tmp. The SUID and SGID permissions\nshould not be required in these world-writable directories.\nAdd the nosuid option to the fourth column of\n/etc/fstab for the line which controls mounting of\n/tmp.", @@ -106282,8 +106174,8 @@ "CCI-000366" ], "nist": [ - "CM-6 b", - "CM-6" + "CM-6", + "CM-6 b." ], "severity": "medium", "description": "The ProcessSizeMax option in [Coredump] section\nof /etc/systemd/coredump.conf\nspecifies the maximum size in bytes of a core which will be processed.\nCore dumps exceeding this size may be stored, but the backtrace will not\nbe generated.", @@ -106387,8 +106279,8 @@ "CCI-000366" ], "nist": [ - "CM-6 b", - "CM-6" + "CM-6", + "CM-6 b." ], "severity": "medium", "description": "The Storage option in [Coredump] section\nof /etc/systemd/coredump.conf\ncan be set to none to disable storing core dumps permanently.", @@ -106490,8 +106382,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "SI-11 a.", "SI-11 b." ], @@ -106650,12 +106540,12 @@ "CCI-000366" ], "nist": [ - "SI-16", - "CM-6 b", "SC-30", "SC-30 (2)", "SC-30 (5)", - "CM-6 a." + "CM-6 a.", + "SI-16", + "CM-6 b." ], "severity": "medium", "description": "To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=\nTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = ", @@ -106994,11 +106884,11 @@ "CCI-002824" ], "nist": [ - "CM-6 b", - "SI-16", "SC-30", "SC-30 (2)", - "CM-6 a." + "CM-6 a.", + "CM-6 b.", + "SI-16" ], "severity": "medium", "description": "To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2\nTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2", @@ -107399,7 +107289,6 @@ "CCI-000381" ], "nist": [ - "CM-7 a", "CM-7 a.", "CM-7 (5) b." ], @@ -107554,13 +107443,13 @@ "CCI-002696" ], "nist": [ - "SC-3", - "AC-3 (4)", - "SI-6 a", "AC-3", "AC-3 (3) a.", "AU-9", - "SC-7 (21)" + "SC-7 (21)", + "SC-3", + "AC-3 (4)", + "SI-6 a." ], "severity": "high", "description": "The SELinux state should be set to at\nsystem boot time. In the file /etc/selinux/config, add or correct the\nfollowing line to configure the system to boot into enforcing mode:\nSELINUX=", @@ -109076,8 +108965,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -109669,8 +109556,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a." ], "severity": "medium", @@ -110272,8 +110157,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a." ], "severity": "medium", @@ -110901,8 +110784,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -111875,8 +111756,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -112690,8 +112569,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -113569,8 +113446,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-7 a.", "CM-7 b.", "CM-6 a." @@ -114168,7 +114043,6 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 b." ], "severity": "medium", @@ -114357,9 +114231,9 @@ "CCI-000366" ], "nist": [ - "AU-5 a", - "CM-6 b", - "CM-6 a." + "CM-6 a.", + "AU-5 a.", + "CM-6 b." ], "severity": "medium", "description": "Make sure that mails delivered to root user are forwarded to a monitored\nemail address. Make sure that the address\n is a valid email address\nreachable from the system in question. Use the following command to\nconfigure the alias:\n$ sudo echo \"root: \" >> /etc/aliases\n$ sudo newaliases", @@ -114470,7 +114344,6 @@ "CCI-000139" ], "nist": [ - "AU-5 a", "AU-5 a.", "AU-5 (1) ii." ], @@ -114887,8 +114760,8 @@ "CCI-000160" ], "nist": [ - "AU-8 (1)", - "CM-6 a." + "CM-6 a.", + "AU-8 (1)" ], "severity": "high", "description": "The ntpd service should be installed.", @@ -115304,9 +115177,9 @@ "CCI-000160" ], "nist": [ - "AU-8 (1)", "CM-6 a.", - "AU-8 (1) a." + "AU-8 (1) a.", + "AU-8 (1)" ], "severity": "high", "description": "\nThe ntp service can be enabled with the following command:\n$ sudo systemctl enable ntp.service", @@ -115647,8 +115520,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AU-8 (1) a." ], @@ -115961,9 +115832,9 @@ "CCI-000160" ], "nist": [ - "AU-8 (1)", "CM-6 a.", - "AU-8 (1) a." + "AU-8 (1) a.", + "AU-8 (1)" ], "severity": "high", "description": "\nThe systemd_timesyncd service can be enabled with the following command:\n$ sudo systemctl enable systemd_timesyncd.service", @@ -116306,7 +116177,7 @@ "CCI-001891" ], "nist": [ - "AU-8 (1) (a)" + "AU-8 (1) a." ], "severity": "medium", "description": "Check that Chrony only has time sources configured with the server directive.", @@ -116398,10 +116269,9 @@ "CCI-001891" ], "nist": [ - "AU-8 (1)", - "AU-8 (1) (a)", "CM-6 a.", - "AU-8 (1) a." + "AU-8 (1) a.", + "AU-8 (1)" ], "severity": "medium", "description": "Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to\nsynchronize system clocks across a variety of systems and use a source that is highly\naccurate. More information on chrony can be found at\n\n http://chrony.tuxfamily.org/.\nChrony can be configured to be a client and/or a server.\nAdd or edit server or pool lines to /etc/chrony/chrony.conf as appropriate:\nserver \nMultiple servers may be configured.", @@ -116516,8 +116386,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AU-8 (1) a.", "AU-8 (2)" @@ -116841,8 +116709,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-6 a.", "AU-8 (1) a." ], @@ -117163,10 +117029,10 @@ "CCI-001436" ], "nist": [ - "AC-17 (8)", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "AC-17 (8)" ], "severity": "high", "description": "The files /etc/hosts.equiv and ~/.rhosts (in\neach user's home directory) list remote hosts and users that are trusted by the\nlocal system when using the rshd daemon.\nTo remove these files, run the following command to delete them from any\nlocation:\n$ sudo rm /etc/hosts.equiv\n$ rm ~/.rhosts", @@ -118003,12 +117869,12 @@ "CCI-002361" ], "nist": [ - "MA-4 e", - "SC-10", - "AC-12", "AC-2 (5)", + "AC-12", "AC-17 a.", - "CM-6 a." + "SC-10", + "CM-6 a.", + "MA-4 e." ], "severity": "medium", "description": "The SSH server sends at most ClientAliveCountMax messages\nduring a SSH session and waits for a response from the SSH client.\nThe option ClientAliveInterval configures timeout after\neach ClientAliveCountMax message. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\n\nTo ensure the SSH timeout occurs precisely when the\nClientAliveInterval is set, set the ClientAliveCountMax to\nvalue of 0 in\n\n\n/etc/ssh/sshd_config:", @@ -118930,12 +118796,12 @@ "CCI-002361" ], "nist": [ - "MA-4 e", - "SC-10", - "AC-12", "AC-2 (5)", + "AC-12", "AC-17 a.", - "CM-6 a." + "SC-10", + "CM-6 a.", + "MA-4 e." ], "severity": "medium", "description": "The SSH server sends at most ClientAliveCountMax messages\nduring a SSH session and waits for a response from the SSH client.\nThe option ClientAliveInterval configures timeout after\neach ClientAliveCountMax message. If the SSH server does not\nreceive a response from the client, then the connection is considered unresponsive\nand terminated.\nFor SSH earlier than v8.2, a ClientAliveCountMax value of 0\ncauses a timeout precisely when the ClientAliveInterval is set.\nStarting with v8.2, a value of 0 disables the timeout functionality\ncompletely. If the option is set to a number greater than 0, then\nthe session will be disconnected after\nClientAliveInterval * ClientAliveCountMax seconds without receiving\na keep alive message.", @@ -119831,12 +119697,12 @@ "CCI-002361" ], "nist": [ - "MA-4 e", - "SC-10", - "AC-12", "CM-6 a.", "AC-17 a.", - "AC-2 (5)" + "AC-2 (5)", + "AC-12", + "SC-10", + "MA-4 e." ], "severity": "medium", "description": "SSH allows administrators to set a network responsiveness timeout interval.\nAfter this interval has passed, the unresponsive client will be automatically logged out.\n\nTo set this timeout interval, edit the following line in /etc/ssh/sshd_config as\nfollows:\nClientAliveInterval \n\nThe timeout interval is given in seconds. For example, have a timeout\nof 10 minutes, set interval to 600.\n\nIf a shorter timeout has already been set for the login shell, that value will\npreempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that\nsome processes may stop SSH from correctly detecting that the user is idle.", @@ -120744,12 +120610,12 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-3", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "SSH's cryptographic host-based authentication is\nmore secure than .rhosts authentication. However, it is\nnot recommended that hosts unilaterally trust one another, even\nwithin an organization.\n\nThe default SSH configuration disables host-based authentication. The appropriate\nconfiguration is used if no value is set for HostbasedAuthentication.\n\nTo explicitly disable host-based authentication, add or correct the\nfollowing line in\n\n\n/etc/ssh/sshd_config:\n\nHostbasedAuthentication no", @@ -121780,14 +121646,13 @@ "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", - "CM-6 b", "CM-6 a.", "AC-17 a.", "AC-17 (2)", "IA-5 (1) c.", "SC-13", - "MA-4 (6)" + "MA-4 (6)", + "CM-6 b." ], "severity": "high", "description": "Only SSH protocol version 2 connections should be\npermitted. The default setting in\n/etc/ssh/sshd_config is correct, and can be\nverified by ensuring that the following\nline appears:\nProtocol 2", @@ -122663,11 +122528,11 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "Compression is useful for slow network connections over long\ndistances but can cause performance issues on local LANs. If use of compression\nis required, it should be enabled only after a user has authenticated; otherwise,\nit should be disabled. To disable compression or delay compression until after\na user has successfully authenticated, add or correct the following line in the\n/etc/ssh/sshd_config file:\nCompression ", @@ -122970,12 +122835,12 @@ "CCI-000766" ], "nist": [ - "CM-6 b", - "IA-2 (2)", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b.", + "IA-2 (2)" ], "severity": "high", "description": "Disallow SSH login with empty passwords.\nThe default SSH configuration disables logins with empty passwords. The appropriate\nconfiguration is used if no value is set for PermitEmptyPasswords.\n\nTo explicitly disallow SSH login from accounts with empty passwords,\nadd or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\n\nPermitEmptyPasswords no\nAny accounts with empty passwords should be disabled immediately, and PAM configuration\nshould prevent users from being able to assign themselves empty passwords.", @@ -124060,16 +123925,16 @@ "CCI-000366" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)", - "CM-6 b", "CM-7 a.", "CM-7 b.", "CM-6 a.", - "AC-17 a." + "AC-17 a.", + "CM-3 f.", + "CM-6 c.", + "CM-11 (2)", + "CM-5 (1) a.", + "CM-5 (1)", + "CM-6 b." ], "severity": "medium", "description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like GSSAPI.\n\nThe default SSH configuration disallows authentications based on GSSAPI. The appropriate\nconfiguration is used if no value is set for GSSAPIAuthentication.\n\nTo explicitly disable GSSAPI authentication, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nGSSAPIAuthentication no", @@ -124461,16 +124326,16 @@ "CCI-000366" ], "nist": [ - "CM-3 f", - "CM-6 c", - "CM-11 (2)", - "CM-5 (1) (a)", - "CM-5 (1)", - "CM-6 b", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-3 f.", + "CM-6 c.", + "CM-11 (2)", + "CM-5 (1) a.", + "CM-5 (1)", + "CM-6 b." ], "severity": "medium", "description": "Unless needed, SSH should not permit extraneous or unnecessary\nauthentication mechanisms like Kerberos.\n\nThe default SSH configuration disallows authentication validation through Kerberos.\nThe appropriate configuration is used if no value is set for KerberosAuthentication.\n\nTo explicitly disable Kerberos authentication, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nKerberosAuthentication no", @@ -124986,11 +124851,11 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "SSH can emulate the behavior of the obsolete rsh\ncommand in allowing users to enable insecure access to their\naccounts via .rhosts files.\n\nThe default SSH configuration disables support for .rhosts. The appropriate\nconfiguration is used if no value is set for IgnoreRhosts.\n\nTo explicitly disable support for .rhosts files, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nIgnoreRhosts yes", @@ -125786,11 +125651,11 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "SSH can allow authentication through the obsolete rsh\ncommand through the use of the authenticating user's SSH keys. This should be disabled.\n\nTo ensure this behavior is disabled, add or correct the\nfollowing line in /etc/ssh/sshd_config:\nRhostsRSAAuthentication no", @@ -126098,14 +125963,14 @@ "CCI-000770" ], "nist": [ - "CM-6 b", - "IA-2 (5)", "AC-6 (2)", "AC-17 a.", "IA-2", + "IA-2 (5)", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "The root user should never be allowed to login to a\nsystem directly over a network.\nTo disable root login via SSH, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nPermitRootLogin no", @@ -127405,11 +127270,11 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "SSH can allow system users to connect to systems if a cache of the remote\nsystems public keys is available. This should be disabled.\n\nTo ensure this behavior is disabled, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nIgnoreUserKnownHosts yes", @@ -127712,7 +127577,6 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 b." ], "severity": "medium", @@ -127792,11 +127656,11 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-7 a.", "CM-7 b.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "Ensure that users are not able to override environment variables of the SSH daemon.\n\nThe default SSH configuration disables environment processing. The appropriate\nconfiguration is used if no value is set for PermitUserEnvironment.\n\nTo explicitly disable Environment options, add or correct the following\n\n\n/etc/ssh/sshd_config:\n\nPermitUserEnvironment no", @@ -128172,7 +128036,7 @@ "CCI-000877" ], "nist": [ - "MA-4 c" + "MA-4 c." ], "severity": "medium", "description": "UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will\nenable PAM authentication using ChallengeResponseAuthentication and\nPasswordAuthentication in addition to PAM account and session module processing for all\nauthentication types.\n\nTo enable PAM authentication, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nUsePAM yes", @@ -128368,10 +128232,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-6", "AC-17 a.", - "CM-6 a." + "CM-6 a.", + "CM-6 b." ], "severity": "medium", "description": "SSHs StrictModes option checks file and ownership permissions in\nthe user's home directory .ssh folder before accepting login. If world-\nwritable permissions are found, logon is rejected.\n\nThe default SSH configuration has StrictModes enabled. The appropriate\nconfiguration is used if no value is set for StrictModes.\n\nTo explicitly enable StrictModes in SSH, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nStrictModes yes", @@ -128927,15 +128791,14 @@ "CCI-001388" ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 3", "AC-8 a.", "AC-8 c.", "AC-17 a.", - "CM-6 a." + "CM-6 a.", + "AC-8 b.", + "AC-8 c. (1)", + "AC-8 c. (2)", + "AC-8 c. (3)" ], "severity": "medium", "description": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nBanner /etc/issue\nAnother section contains information on how to create an\nappropriate system-wide warning banner.", @@ -129440,15 +129303,14 @@ "CCI-001388" ], "nist": [ - "AC-8 a", - "AC-8 b", - "AC-8 c 1", - "AC-8 c 2", - "AC-8 c 3", "AC-8 a.", "AC-8 c.", "AC-17 a.", - "CM-6 a." + "CM-6 a.", + "AC-8 b.", + "AC-8 c. (1)", + "AC-8 c. (2)", + "AC-8 c. (3)" ], "severity": "medium", "description": "To enable the warning banner and ensure it is consistent\nacross the system, add or correct the following line in\n\n/etc/ssh/sshd_config:\n\nBanner /etc/issue.net\nAnother section contains information on how to create an\nappropriate system-wide warning banner.", @@ -129901,10 +129763,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 a.", "AC-17 a.", - "AC-17 (2)" + "AC-17 (2)", + "CM-6 b." ], "severity": "high", "description": "By default, remote X11 connections are not encrypted when initiated\nby users. SSH has the capability to encrypt remote X11 connections when SSH's\nX11Forwarding option is enabled.\n\nTo enable X11 Forwarding, add or correct the following line in\n\n\n/etc/ssh/sshd_config:\n\nX11Forwarding yes", @@ -130301,8 +130163,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-3", "CM-6 a." ], @@ -131476,8 +131336,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "AC-17 a.", "CM-6 a." ], @@ -131556,8 +131414,8 @@ "CCI-000067" ], "nist": [ - "AC-17 (1)", "AC-17 a.", + "AC-17 (1)", "CM-6 a." ], "severity": "medium", @@ -131935,10 +131793,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "CM-6 a.", "AC-17 a.", - "AC-6" + "AC-6", + "CM-6 b." ], "severity": "medium", "description": "When enabled, SSH will create an unprivileged child process that\nhas the privilege of the authenticated user. To enable privilege separation in\nSSH, add or correct the following line in the /etc/ssh/sshd_config file:\nUsePrivilegeSeparation ", @@ -132484,10 +132342,10 @@ "CCI-002422" ], "nist": [ + "CM-6 a.", "SC-8", "SC-8 (2)", - "SC-8 (1)", - "CM-6 a." + "SC-8 (1)" ], "severity": "medium", "description": "The openssh-server package should be installed.\nThe openssh-server package can be installed with the following command:\n\n$ apt-get install openssh-server", @@ -133000,8 +132858,6 @@ "tags": { "cci": [], "nist": [ - "SA-11", - "RA-5", "CM-3 (6)", "IA-2 (4)" ], @@ -133074,10 +132930,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "CM-6 b." ], "severity": "medium", "description": "SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions.\nIf those files are owned by the root user and the root group, they have to have the 0600 permission or stricter.", @@ -133596,10 +133452,10 @@ "CCI-000366" ], "nist": [ - "CM-6 b", "AC-17 a.", "CM-6 a.", - "AC-6 (1)" + "AC-6 (1)", + "CM-6 b." ], "severity": "medium", "description": " To properly set the permissions of /etc/ssh/*.pub, run the command: $ sudo chmod 0644 /etc/ssh/*.pub", @@ -134157,7 +134013,7 @@ ] } ], - "sha256": "6c0f98b81de8b9feb3e92a53d18334334e8419a84aa18c5c8dba502ba2d373c6" + "sha256": "235bbf09b40d4a49e58e2283eb1a1966a2b0fc63ac4dc244af0abf8ad489a057" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf-withraw.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf-withraw.json index bc2d915e5b..ea95545995 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf-withraw.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:7" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000048" ], "nist": [ - "AC-8 a" + "AC-8 a." ], "severity": "medium", "description": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false", @@ -192,7 +192,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -531,7 +531,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -722,7 +722,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -886,7 +886,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1050,7 +1050,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.false", @@ -1206,7 +1206,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1370,7 +1370,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.false", @@ -1526,7 +1526,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.false", @@ -1690,7 +1690,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -1881,7 +1881,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2072,7 +2072,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2263,7 +2263,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2454,7 +2454,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2665,7 +2665,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2860,7 +2860,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3051,7 +3051,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3246,7 +3246,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3410,7 +3410,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3574,7 +3574,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3738,7 +3738,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -3937,7 +3937,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -4093,7 +4093,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4288,7 +4288,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4444,7 +4444,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.false", @@ -4643,7 +4643,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.false", @@ -4850,7 +4850,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -5178,7 +5178,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.false", @@ -5713,7 +5713,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -5912,7 +5912,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6076,7 +6076,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6240,7 +6240,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6404,7 +6404,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -7052,7 +7052,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -7216,7 +7216,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.false", @@ -7874,7 +7874,7 @@ "CCI-001958" ], "nist": [ - "CM-6 b", + "CM-6 b.", "IA-3" ], "severity": "medium", @@ -8205,7 +8205,7 @@ "CCI-001958" ], "nist": [ - "CM-6 b", + "CM-6 b.", "IA-3" ], "severity": "medium", @@ -8550,7 +8550,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -8745,7 +8745,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available, while 7.9 is the final minor release overall.false", @@ -9073,7 +9073,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -9237,7 +9237,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -9401,7 +9401,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.\n\nIn addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.false", @@ -9557,7 +9557,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -9721,7 +9721,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -9885,7 +9885,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.false", @@ -10049,7 +10049,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.false", @@ -10213,7 +10213,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or edited by unauthorized users.false", @@ -10377,7 +10377,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10541,7 +10541,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10705,7 +10705,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10861,7 +10861,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11030,7 +11030,7 @@ "nist": [ "AC-17 (2)", "SC-28", - "SC-13 b", + "SC-13 b.", "SC-28 (1)" ], "severity": "high", @@ -11219,7 +11219,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.false", @@ -11384,8 +11384,8 @@ "CCI-000131" ], "nist": [ - "AU-2 c", - "AU-3 b" + "AU-2 c.", + "AU-3 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096false", @@ -11557,7 +11557,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023false", @@ -13313,8 +13313,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13487,8 +13487,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13661,8 +13661,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13835,8 +13835,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14008,7 +14008,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14172,7 +14172,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14336,7 +14336,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14500,7 +14500,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14664,7 +14664,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14828,7 +14828,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14992,7 +14992,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15156,7 +15156,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15320,7 +15320,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15485,8 +15485,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -15659,8 +15659,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -15833,8 +15833,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16007,8 +16007,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16181,8 +16181,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16355,8 +16355,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16529,8 +16529,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -16703,8 +16703,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -16877,8 +16877,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17051,8 +17051,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17218,9 +17218,9 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -17402,9 +17402,9 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -17587,8 +17587,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -17771,8 +17771,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -17955,8 +17955,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18139,8 +18139,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18323,8 +18323,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18507,10 +18507,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18701,10 +18701,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18895,10 +18895,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19089,10 +19089,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19283,10 +19283,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19476,7 +19476,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -19650,7 +19650,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -19824,7 +19824,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -19998,7 +19998,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20173,8 +20173,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -20357,8 +20357,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -20538,7 +20538,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.false", @@ -20702,7 +20702,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -20858,7 +20858,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21022,7 +21022,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21186,7 +21186,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21350,7 +21350,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21510,7 +21510,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221false", @@ -21702,7 +21702,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -21894,7 +21894,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22086,7 +22086,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22278,7 +22278,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22467,8 +22467,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -22641,8 +22641,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -22815,8 +22815,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -22989,8 +22989,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23163,8 +23163,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23542,7 +23542,7 @@ ], "nist": [ "AC-17 (2)", - "CM-6 b", + "CM-6 b.", "IA-7" ], "severity": "medium", @@ -23889,7 +23889,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.false", @@ -24447,7 +24447,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -24785,7 +24785,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -24949,7 +24949,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -25113,7 +25113,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.false", @@ -25277,7 +25277,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25442,8 +25442,8 @@ "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", - "CM-6 b" + "IA-5 (1) c.", + "CM-6 b." ], "severity": "high", "description": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227false", @@ -25779,7 +25779,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -25943,7 +25943,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -26111,10 +26111,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", - "CM-6 c", + "CM-3 f.", + "CM-6 c.", "CM-11 (2)", - "CM-5 (1) (a)", + "CM-5 (1) a.", "CM-5 (1)" ], "severity": "medium", @@ -26307,10 +26307,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", - "CM-6 c", + "CM-3 f.", + "CM-6 c.", "CM-11 (2)", - "CM-5 (1) (a)", + "CM-5 (1) a.", "CM-5 (1)" ], "severity": "medium", @@ -26507,7 +26507,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -26671,7 +26671,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.false", @@ -26835,7 +26835,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -26991,7 +26991,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -27147,7 +27147,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27303,7 +27303,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27459,7 +27459,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -27646,7 +27646,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -27833,7 +27833,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.false", @@ -28020,7 +28020,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28207,7 +28207,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28394,7 +28394,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -28558,7 +28558,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -28722,7 +28722,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -28882,10 +28882,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", - "CM-6 c", + "CM-3 f.", + "CM-6 c.", "CM-11 (2)", - "CM-5 (1) (a)", + "CM-5 (1) a.", "CM-5 (1)" ], "severity": "high", @@ -29082,7 +29082,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.false", @@ -29246,7 +29246,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.false", @@ -29410,7 +29410,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false", @@ -29574,7 +29574,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.false", @@ -29738,7 +29738,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.false", @@ -30622,7 +30622,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.false", @@ -31025,7 +31025,7 @@ ] } ], - "sha256": "5b6c4494fcb3a6ecee08140d8f3bba7ad7f601cd85cf4424f4485443354dbd9c" + "sha256": "486f8e8bb991a014fa253acc96d5956f2ddcd381dbbf8b17d65cd45e8c353ac9" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf.json index 4c4337ab6a..8419325b98 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel7-hdf.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:7" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000048" ], "nist": [ - "AC-8 a" + "AC-8 a." ], "severity": "medium", "description": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false", @@ -192,7 +192,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -531,7 +531,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -722,7 +722,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -886,7 +886,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1050,7 +1050,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.false", @@ -1206,7 +1206,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1370,7 +1370,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.false", @@ -1526,7 +1526,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.false", @@ -1690,7 +1690,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -1881,7 +1881,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2072,7 +2072,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2263,7 +2263,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2454,7 +2454,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2665,7 +2665,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2860,7 +2860,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3051,7 +3051,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3246,7 +3246,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3410,7 +3410,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3574,7 +3574,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3738,7 +3738,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -3937,7 +3937,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -4093,7 +4093,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4288,7 +4288,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4444,7 +4444,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.false", @@ -4643,7 +4643,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.false", @@ -4850,7 +4850,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -5178,7 +5178,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.false", @@ -5713,7 +5713,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -5912,7 +5912,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6076,7 +6076,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6240,7 +6240,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6404,7 +6404,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -7052,7 +7052,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -7216,7 +7216,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.false", @@ -7874,7 +7874,7 @@ "CCI-001958" ], "nist": [ - "CM-6 b", + "CM-6 b.", "IA-3" ], "severity": "medium", @@ -8205,7 +8205,7 @@ "CCI-001958" ], "nist": [ - "CM-6 b", + "CM-6 b.", "IA-3" ], "severity": "medium", @@ -8550,7 +8550,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -8745,7 +8745,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available, while 7.9 is the final minor release overall.false", @@ -9073,7 +9073,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -9237,7 +9237,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -9401,7 +9401,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.\n\nIn addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.false", @@ -9557,7 +9557,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -9721,7 +9721,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -9885,7 +9885,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a world-writable directory is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.false", @@ -10049,7 +10049,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.false", @@ -10213,7 +10213,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or edited by unauthorized users.false", @@ -10377,7 +10377,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10541,7 +10541,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10705,7 +10705,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10861,7 +10861,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11030,7 +11030,7 @@ "nist": [ "AC-17 (2)", "SC-28", - "SC-13 b", + "SC-13 b.", "SC-28 (1)" ], "severity": "high", @@ -11219,7 +11219,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.false", @@ -11384,8 +11384,8 @@ "CCI-000131" ], "nist": [ - "AU-2 c", - "AU-3 b" + "AU-2 c.", + "AU-3 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096false", @@ -11557,7 +11557,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023false", @@ -13313,8 +13313,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13487,8 +13487,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13661,8 +13661,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13835,8 +13835,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14008,7 +14008,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14172,7 +14172,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14336,7 +14336,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14500,7 +14500,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14664,7 +14664,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14828,7 +14828,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14992,7 +14992,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15156,7 +15156,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15320,7 +15320,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15485,8 +15485,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -15659,8 +15659,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -15833,8 +15833,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16007,8 +16007,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16181,8 +16181,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16355,8 +16355,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16529,8 +16529,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -16703,8 +16703,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -16877,8 +16877,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17051,8 +17051,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17218,9 +17218,9 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -17402,9 +17402,9 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -17587,8 +17587,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -17771,8 +17771,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -17955,8 +17955,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18139,8 +18139,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18323,8 +18323,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18507,10 +18507,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18701,10 +18701,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18895,10 +18895,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19089,10 +19089,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19283,10 +19283,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19476,7 +19476,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -19650,7 +19650,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -19824,7 +19824,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -19998,7 +19998,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20173,8 +20173,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -20357,8 +20357,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -20538,7 +20538,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.false", @@ -20702,7 +20702,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -20858,7 +20858,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21022,7 +21022,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21186,7 +21186,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21350,7 +21350,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21510,7 +21510,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221false", @@ -21702,7 +21702,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -21894,7 +21894,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22086,7 +22086,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22278,7 +22278,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22467,8 +22467,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -22641,8 +22641,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -22815,8 +22815,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -22989,8 +22989,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23163,8 +23163,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23542,7 +23542,7 @@ ], "nist": [ "AC-17 (2)", - "CM-6 b", + "CM-6 b.", "IA-7" ], "severity": "medium", @@ -23889,7 +23889,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.false", @@ -24447,7 +24447,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -24785,7 +24785,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -24949,7 +24949,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -25113,7 +25113,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.false", @@ -25277,7 +25277,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25442,8 +25442,8 @@ "CCI-000366" ], "nist": [ - "IA-5 (1) (c)", - "CM-6 b" + "IA-5 (1) c.", + "CM-6 b." ], "severity": "high", "description": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227false", @@ -25779,7 +25779,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -25943,7 +25943,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -26111,10 +26111,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", - "CM-6 c", + "CM-3 f.", + "CM-6 c.", "CM-11 (2)", - "CM-5 (1) (a)", + "CM-5 (1) a.", "CM-5 (1)" ], "severity": "medium", @@ -26307,10 +26307,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", - "CM-6 c", + "CM-3 f.", + "CM-6 c.", "CM-11 (2)", - "CM-5 (1) (a)", + "CM-5 (1) a.", "CM-5 (1)" ], "severity": "medium", @@ -26507,7 +26507,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -26671,7 +26671,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.false", @@ -26835,7 +26835,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -26991,7 +26991,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -27147,7 +27147,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27303,7 +27303,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27459,7 +27459,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -27646,7 +27646,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -27833,7 +27833,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.false", @@ -28020,7 +28020,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28207,7 +28207,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28394,7 +28394,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -28558,7 +28558,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -28722,7 +28722,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -28882,10 +28882,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", - "CM-6 c", + "CM-3 f.", + "CM-6 c.", "CM-11 (2)", - "CM-5 (1) (a)", + "CM-5 (1) a.", "CM-5 (1)" ], "severity": "high", @@ -29082,7 +29082,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.false", @@ -29246,7 +29246,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.false", @@ -29410,7 +29410,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false", @@ -29574,7 +29574,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.false", @@ -29738,7 +29738,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.false", @@ -30622,7 +30622,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.false", @@ -31025,7 +31025,7 @@ ] } ], - "sha256": "5b6c4494fcb3a6ecee08140d8f3bba7ad7f601cd85cf4424f4485443354dbd9c" + "sha256": "486f8e8bb991a014fa253acc96d5956f2ddcd381dbbf8b17d65cd45e8c353ac9" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf-withraw.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf-withraw.json index ed1503db43..ae82fa2bef 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf-withraw.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:8" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.false", @@ -302,7 +302,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.false", @@ -439,7 +439,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -576,7 +576,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -1809,7 +1809,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -1946,7 +1946,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2083,7 +2083,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2220,7 +2220,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2357,7 +2357,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2494,7 +2494,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2631,7 +2631,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.false", @@ -4823,7 +4823,7 @@ "CCI-002696" ], "nist": [ - "SI-6 a" + "SI-6 a." ], "severity": "medium", "description": "Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false", @@ -4960,7 +4960,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \"shosts.equiv\" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5097,7 +5097,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \".shosts\" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5234,7 +5234,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -5371,7 +5371,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -5508,7 +5508,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -5645,7 +5645,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -5782,7 +5782,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -5919,7 +5919,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.false", @@ -6056,7 +6056,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6193,7 +6193,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6330,7 +6330,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6467,7 +6467,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6741,7 +6741,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -6878,7 +6878,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -7015,7 +7015,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7152,7 +7152,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.false", @@ -7289,7 +7289,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7426,7 +7426,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7563,7 +7563,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7700,7 +7700,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -7837,7 +7837,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -7974,7 +7974,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8111,7 +8111,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8248,7 +8248,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -8385,7 +8385,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH environment options potentially allow users to bypass access restriction in some configurations.false", @@ -8522,7 +8522,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8659,7 +8659,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8796,7 +8796,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8933,7 +8933,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9070,7 +9070,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9207,7 +9207,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9344,7 +9344,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9481,7 +9481,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9618,7 +9618,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9755,7 +9755,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9892,7 +9892,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10029,7 +10029,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10303,7 +10303,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10440,7 +10440,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10577,7 +10577,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "low", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10714,7 +10714,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nNote the value of \"retry\" set in these configuration files should be between \"1\" and \"3\". Manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -10851,7 +10851,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -10988,7 +10988,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11125,7 +11125,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11262,7 +11262,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.false", @@ -11399,7 +11399,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.false", @@ -11536,7 +11536,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).false", @@ -11673,7 +11673,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"difok\" option sets the number of characters in a password that must not be present in the old password.false", @@ -11810,7 +11810,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -11947,7 +11947,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -12084,7 +12084,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12221,7 +12221,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12358,7 +12358,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 utilizes \"pwquality\" consecutively as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -12495,7 +12495,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\nThe \"minlen\", sometimes noted as minimum length, acts as a \"score\" of complexity based on the credit components of the \"pwquality\" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total \"score\" of \"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12632,7 +12632,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12769,7 +12769,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nRHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.false", @@ -12906,7 +12906,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that to require special characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -13043,7 +13043,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.false", @@ -13180,7 +13180,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -13317,7 +13317,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -13454,7 +13454,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -13591,7 +13591,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -13865,7 +13865,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14002,7 +14002,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14139,7 +14139,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14276,7 +14276,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14413,7 +14413,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.false", @@ -14687,7 +14687,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nEnriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.false", @@ -14824,7 +14824,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -14961,7 +14961,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -15098,7 +15098,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15235,7 +15235,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15372,7 +15372,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15509,7 +15509,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15646,7 +15646,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15783,7 +15783,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15920,7 +15920,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16057,7 +16057,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000476-GPOS-00221false", @@ -16194,7 +16194,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16331,7 +16331,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16468,7 +16468,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16605,7 +16605,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16742,7 +16742,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16879,7 +16879,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220false", @@ -17016,7 +17016,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"su\" command allows a user to run commands with a substitute user and group ID.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -17153,7 +17153,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17290,7 +17290,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Removexattr\" is a system call that removes extended attributes.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17427,7 +17427,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17564,7 +17564,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The auid representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17701,7 +17701,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17838,7 +17838,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chage\" command is used to change or view user password expiry information.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -17975,7 +17975,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chcon\" command is used to change file SELinux security context.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -18112,7 +18112,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Setxattr\" is a system call used to set an extended attribute value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18249,7 +18249,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-agent\" is a program to hold private keys used for public key authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18386,7 +18386,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"passwd\" command is used to change passwords for user accounts.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18523,7 +18523,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" command is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18660,7 +18660,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"umount\" command is used to unmount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18797,7 +18797,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" syscall is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18934,7 +18934,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \"Unix_update\" is a helper program for the \"pam_unix\" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19071,7 +19071,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postdrop\" command creates a file in the maildrop directory and copies its standard input to the file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19208,7 +19208,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postqueue\" command implements the Postfix user interface for queue management.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19345,7 +19345,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"semanage\" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19482,7 +19482,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setfiles\" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling).\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19619,7 +19619,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"userhelper\" command is not intended to be run interactively. \"Userhelper\" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19756,7 +19756,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setsebool\" command sets the current state of a particular SELinux boolean or a list of booleans to a given value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19893,7 +19893,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"unix_chkpwd\" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20030,7 +20030,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-keysign\" program is an SSH helper program for host-based authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20167,7 +20167,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"setfacl\" command is used to set file access control lists.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20304,7 +20304,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"pam_timestamp_check\" command is used to check if the default timestamp is valid.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20441,7 +20441,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"newgrp\" command is used to change the current group ID during a login session.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20578,7 +20578,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20715,7 +20715,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" command will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20852,7 +20852,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"renameat\" command renames a file, moving it between directories if required.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20989,7 +20989,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rmdir\" command removes empty directories.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21126,7 +21126,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlink\" command deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21263,7 +21263,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21400,7 +21400,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"gpasswd\" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21537,7 +21537,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"finit_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21674,7 +21674,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"delete_module\" command is used to unload a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21811,7 +21811,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"crontab\" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21948,7 +21948,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chsh\" command is used to change the login shell.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -22085,7 +22085,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22222,7 +22222,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"openat\" system call opens a file specified by a relative pathname.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22359,7 +22359,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"open system\" call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22496,7 +22496,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of openat into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22633,7 +22633,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22770,7 +22770,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"creat\" system call is used to open and possibly create a file or device.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22907,7 +22907,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23044,7 +23044,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" command changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23181,7 +23181,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23318,7 +23318,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23455,7 +23455,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23592,7 +23592,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23729,7 +23729,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmod\" system call is used to change permissions of a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23866,7 +23866,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"sudo\" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24003,7 +24003,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"usermod\" command modifies the system account files to reflect the changes that are specified on the command line.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24140,7 +24140,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chacl\" command is used to change the access control list of a file or directory.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24277,7 +24277,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"kmod\" command is used to control Linux Kernel modules.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -24414,7 +24414,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218false", @@ -24551,7 +24551,7 @@ "CCI-000171" ], "nist": [ - "AU-12 b" + "AU-12 b." ], "severity": "medium", "description": "Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.false", @@ -24688,7 +24688,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.false", @@ -24825,7 +24825,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -24962,7 +24962,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -25099,7 +25099,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25236,7 +25236,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"rsyslog-gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25647,7 +25647,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25784,7 +25784,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25921,7 +25921,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -26058,7 +26058,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26195,7 +26195,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26332,7 +26332,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.\n\nSatisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042false", @@ -26469,7 +26469,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation.false", @@ -26606,7 +26606,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation.false", @@ -26743,7 +26743,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.false", @@ -26880,7 +26880,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation.false", @@ -27017,7 +27017,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the server.\n\nCompressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.false", @@ -27154,7 +27154,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation.false", @@ -29894,7 +29894,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false", @@ -30031,7 +30031,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false", @@ -30168,7 +30168,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -30305,7 +30305,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30442,7 +30442,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30579,7 +30579,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30716,7 +30716,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30853,7 +30853,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30990,7 +30990,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31127,7 +31127,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31264,7 +31264,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31401,7 +31401,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31538,7 +31538,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31675,7 +31675,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31812,7 +31812,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31949,7 +31949,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -32086,7 +32086,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -32223,7 +32223,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -32360,7 +32360,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.false", @@ -32497,7 +32497,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a \"no\" setting.\n\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.false", @@ -32634,7 +32634,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.false", @@ -32771,7 +32771,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.false", @@ -32908,7 +32908,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -33045,7 +33045,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.false", @@ -33182,7 +33182,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.false", @@ -33319,7 +33319,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.false", @@ -33593,7 +33593,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.false", @@ -33999,7 +33999,7 @@ ] } ], - "sha256": "5a177738c042894016143e291052619f0b603ff22b2d5f0d3fd9c0ae979cb3e0" + "sha256": "72ae05ba6f1e67183dcbb4020cdd1cb439f3bafde9e7e0f9961aa8d468280e91" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf.json index c8b7e550ea..e7b3ae8f96 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-openscap-rhel8-hdf.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:8" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.false", @@ -302,7 +302,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.false", @@ -439,7 +439,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -576,7 +576,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -1809,7 +1809,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -1946,7 +1946,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2083,7 +2083,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2220,7 +2220,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2357,7 +2357,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2494,7 +2494,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2631,7 +2631,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.false", @@ -4823,7 +4823,7 @@ "CCI-002696" ], "nist": [ - "SI-6 a" + "SI-6 a." ], "severity": "medium", "description": "Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false", @@ -4960,7 +4960,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \"shosts.equiv\" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5097,7 +5097,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \".shosts\" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5234,7 +5234,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -5371,7 +5371,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -5508,7 +5508,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -5645,7 +5645,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -5782,7 +5782,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -5919,7 +5919,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.false", @@ -6056,7 +6056,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6193,7 +6193,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6330,7 +6330,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6467,7 +6467,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6741,7 +6741,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -6878,7 +6878,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -7015,7 +7015,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7152,7 +7152,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.false", @@ -7289,7 +7289,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7426,7 +7426,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7563,7 +7563,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7700,7 +7700,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -7837,7 +7837,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -7974,7 +7974,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8111,7 +8111,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8248,7 +8248,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -8385,7 +8385,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH environment options potentially allow users to bypass access restriction in some configurations.false", @@ -8522,7 +8522,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8659,7 +8659,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8796,7 +8796,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8933,7 +8933,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9070,7 +9070,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9207,7 +9207,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9344,7 +9344,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9481,7 +9481,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9618,7 +9618,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9755,7 +9755,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9892,7 +9892,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10029,7 +10029,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10303,7 +10303,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10440,7 +10440,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10577,7 +10577,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "low", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10714,7 +10714,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nNote the value of \"retry\" set in these configuration files should be between \"1\" and \"3\". Manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -10851,7 +10851,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -10988,7 +10988,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11125,7 +11125,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11262,7 +11262,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.false", @@ -11399,7 +11399,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.false", @@ -11536,7 +11536,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).false", @@ -11673,7 +11673,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"difok\" option sets the number of characters in a password that must not be present in the old password.false", @@ -11810,7 +11810,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -11947,7 +11947,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -12084,7 +12084,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12221,7 +12221,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12358,7 +12358,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 utilizes \"pwquality\" consecutively as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -12495,7 +12495,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\nThe \"minlen\", sometimes noted as minimum length, acts as a \"score\" of complexity based on the credit components of the \"pwquality\" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total \"score\" of \"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12632,7 +12632,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12769,7 +12769,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nRHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.false", @@ -12906,7 +12906,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that to require special characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -13043,7 +13043,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.false", @@ -13180,7 +13180,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -13317,7 +13317,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -13454,7 +13454,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -13591,7 +13591,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -13865,7 +13865,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14002,7 +14002,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14139,7 +14139,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14276,7 +14276,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14413,7 +14413,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.false", @@ -14687,7 +14687,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nEnriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.false", @@ -14824,7 +14824,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -14961,7 +14961,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -15098,7 +15098,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15235,7 +15235,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15372,7 +15372,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15509,7 +15509,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15646,7 +15646,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15783,7 +15783,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15920,7 +15920,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16057,7 +16057,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000476-GPOS-00221false", @@ -16194,7 +16194,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16331,7 +16331,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16468,7 +16468,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16605,7 +16605,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16742,7 +16742,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16879,7 +16879,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220false", @@ -17016,7 +17016,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"su\" command allows a user to run commands with a substitute user and group ID.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -17153,7 +17153,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17290,7 +17290,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Removexattr\" is a system call that removes extended attributes.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17427,7 +17427,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17564,7 +17564,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The auid representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17701,7 +17701,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17838,7 +17838,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chage\" command is used to change or view user password expiry information.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -17975,7 +17975,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chcon\" command is used to change file SELinux security context.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -18112,7 +18112,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Setxattr\" is a system call used to set an extended attribute value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18249,7 +18249,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-agent\" is a program to hold private keys used for public key authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18386,7 +18386,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"passwd\" command is used to change passwords for user accounts.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18523,7 +18523,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" command is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18660,7 +18660,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"umount\" command is used to unmount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18797,7 +18797,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" syscall is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18934,7 +18934,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \"Unix_update\" is a helper program for the \"pam_unix\" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19071,7 +19071,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postdrop\" command creates a file in the maildrop directory and copies its standard input to the file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19208,7 +19208,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postqueue\" command implements the Postfix user interface for queue management.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19345,7 +19345,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"semanage\" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19482,7 +19482,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setfiles\" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling).\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19619,7 +19619,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"userhelper\" command is not intended to be run interactively. \"Userhelper\" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19756,7 +19756,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setsebool\" command sets the current state of a particular SELinux boolean or a list of booleans to a given value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19893,7 +19893,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"unix_chkpwd\" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20030,7 +20030,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-keysign\" program is an SSH helper program for host-based authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20167,7 +20167,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"setfacl\" command is used to set file access control lists.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20304,7 +20304,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"pam_timestamp_check\" command is used to check if the default timestamp is valid.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20441,7 +20441,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"newgrp\" command is used to change the current group ID during a login session.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20578,7 +20578,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20715,7 +20715,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" command will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20852,7 +20852,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"renameat\" command renames a file, moving it between directories if required.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20989,7 +20989,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rmdir\" command removes empty directories.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21126,7 +21126,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlink\" command deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21263,7 +21263,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21400,7 +21400,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"gpasswd\" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21537,7 +21537,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"finit_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21674,7 +21674,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"delete_module\" command is used to unload a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21811,7 +21811,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"crontab\" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21948,7 +21948,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chsh\" command is used to change the login shell.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -22085,7 +22085,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22222,7 +22222,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"openat\" system call opens a file specified by a relative pathname.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22359,7 +22359,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"open system\" call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22496,7 +22496,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of openat into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22633,7 +22633,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22770,7 +22770,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"creat\" system call is used to open and possibly create a file or device.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22907,7 +22907,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23044,7 +23044,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" command changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23181,7 +23181,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23318,7 +23318,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23455,7 +23455,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23592,7 +23592,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23729,7 +23729,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmod\" system call is used to change permissions of a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23866,7 +23866,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"sudo\" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24003,7 +24003,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"usermod\" command modifies the system account files to reflect the changes that are specified on the command line.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24140,7 +24140,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chacl\" command is used to change the access control list of a file or directory.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24277,7 +24277,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"kmod\" command is used to control Linux Kernel modules.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -24414,7 +24414,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218false", @@ -24551,7 +24551,7 @@ "CCI-000171" ], "nist": [ - "AU-12 b" + "AU-12 b." ], "severity": "medium", "description": "Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.false", @@ -24688,7 +24688,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.false", @@ -24825,7 +24825,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -24962,7 +24962,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -25099,7 +25099,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25236,7 +25236,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"rsyslog-gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25647,7 +25647,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25784,7 +25784,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25921,7 +25921,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -26058,7 +26058,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26195,7 +26195,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26332,7 +26332,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.\n\nSatisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042false", @@ -26469,7 +26469,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation.false", @@ -26606,7 +26606,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation.false", @@ -26743,7 +26743,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.false", @@ -26880,7 +26880,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation.false", @@ -27017,7 +27017,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the server.\n\nCompressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.false", @@ -27154,7 +27154,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation.false", @@ -29894,7 +29894,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false", @@ -30031,7 +30031,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false", @@ -30168,7 +30168,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -30305,7 +30305,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30442,7 +30442,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30579,7 +30579,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30716,7 +30716,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30853,7 +30853,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -30990,7 +30990,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31127,7 +31127,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31264,7 +31264,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31401,7 +31401,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31538,7 +31538,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31675,7 +31675,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31812,7 +31812,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -31949,7 +31949,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -32086,7 +32086,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -32223,7 +32223,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe sysctl --system command will load settings from all system configuration files. All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence. Files are read from directories in the following list from top to bottom. Once a file of a given filename is loaded, any file of the same name in subsequent directories is ignored.\n/etc/sysctl.d/*.conf\n/run/sysctl.d/*.conf\n/usr/local/lib/sysctl.d/*.conf\n/usr/lib/sysctl.d/*.conf\n/lib/sysctl.d/*.conf\n/etc/sysctl.conf\n\nBased on the information above, if a configuration file that begins with \"99-\" is created in the \"/etc/sysctl.d/\" directory, it will take precedence over any other configuration file on the system.false", @@ -32360,7 +32360,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.false", @@ -32497,7 +32497,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a \"no\" setting.\n\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.false", @@ -32634,7 +32634,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.false", @@ -32771,7 +32771,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.false", @@ -32908,7 +32908,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -33045,7 +33045,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.false", @@ -33182,7 +33182,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.false", @@ -33319,7 +33319,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.false", @@ -33593,7 +33593,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.false", @@ -33999,7 +33999,7 @@ ] } ], - "sha256": "5a177738c042894016143e291052619f0b603ff22b2d5f0d3fd9c0ae979cb3e0" + "sha256": "72ae05ba6f1e67183dcbb4020cdd1cb439f3bafde9e7e0f9961aa8d468280e91" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf-withraw.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf-withraw.json index 523c88c7dd..78605d865a 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf-withraw.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:7" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000048" ], "nist": [ - "AC-8 a" + "AC-8 a." ], "severity": "medium", "description": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false", @@ -193,7 +193,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -534,7 +534,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -727,7 +727,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -892,7 +892,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1057,7 +1057,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.false", @@ -1214,7 +1214,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1379,7 +1379,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.false", @@ -1536,7 +1536,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.false", @@ -1701,7 +1701,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -1894,7 +1894,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2087,7 +2087,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2280,7 +2280,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2473,7 +2473,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2686,7 +2686,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2883,7 +2883,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3076,7 +3076,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3273,7 +3273,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3438,7 +3438,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3603,7 +3603,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3768,7 +3768,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -3969,7 +3969,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -4126,7 +4126,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4323,7 +4323,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4480,7 +4480,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.false", @@ -4681,7 +4681,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.false", @@ -4890,7 +4890,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -5220,7 +5220,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.false", @@ -5759,7 +5759,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -5960,7 +5960,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6125,7 +6125,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6290,7 +6290,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6455,7 +6455,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -7437,7 +7437,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -7602,7 +7602,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.false", @@ -8265,7 +8265,7 @@ ], "nist": [ "IA-3", - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false", @@ -8598,7 +8598,7 @@ ], "nist": [ "IA-3", - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false", @@ -8944,7 +8944,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -9140,7 +9140,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.false", @@ -9470,7 +9470,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -9635,7 +9635,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -9800,7 +9800,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.\n\nIn addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.false", @@ -9957,7 +9957,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -10122,7 +10122,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -10287,7 +10287,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.false", @@ -10452,7 +10452,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.false", @@ -10617,7 +10617,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or edited by unauthorized users.false", @@ -10782,7 +10782,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10947,7 +10947,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11112,7 +11112,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11269,7 +11269,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11439,7 +11439,7 @@ "nist": [ "SC-28", "AC-17 (2)", - "SC-13 b", + "SC-13 b.", "SC-28 (1)" ], "severity": "high", @@ -11629,7 +11629,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.false", @@ -11795,8 +11795,8 @@ "CCI-000131" ], "nist": [ - "AU-2 c", - "AU-3 b" + "AU-2 c.", + "AU-3 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096false", @@ -11969,7 +11969,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023false", @@ -13736,8 +13736,8 @@ "CCI-000126" ], "nist": [ - "AU-12 c", - "AU-2 c" + "AU-12 c.", + "AU-2 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13911,8 +13911,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14086,8 +14086,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14261,8 +14261,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14435,7 +14435,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14600,7 +14600,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14765,7 +14765,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14930,7 +14930,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15095,7 +15095,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15260,7 +15260,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15425,7 +15425,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15590,7 +15590,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15755,7 +15755,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15921,8 +15921,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16096,8 +16096,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16271,8 +16271,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16446,8 +16446,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16621,8 +16621,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16796,8 +16796,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16971,8 +16971,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17146,8 +17146,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17321,8 +17321,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17496,8 +17496,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17664,9 +17664,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "AU-2 c", - "MA-4 (1) (a)" + "AU-12 c.", + "AU-2 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -17849,9 +17849,9 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -18034,9 +18034,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18220,8 +18220,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18404,9 +18404,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18590,8 +18590,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18774,9 +18774,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18961,9 +18961,9 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "AU-3 a", - "MA-4 (1) (a)" + "AU-12 c.", + "AU-3 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19155,10 +19155,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19350,10 +19350,10 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "AU-3 a", - "MA-4 (1) (a)" + "AU-3 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19545,10 +19545,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19740,10 +19740,10 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "AU-3 a", - "MA-4 (1) (a)" + "AU-3 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19934,7 +19934,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20109,7 +20109,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20284,7 +20284,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20459,7 +20459,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20635,8 +20635,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -20819,9 +20819,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -21002,7 +21002,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.false", @@ -21167,7 +21167,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21324,7 +21324,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21489,7 +21489,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21654,7 +21654,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21819,7 +21819,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21980,7 +21980,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221false", @@ -22173,7 +22173,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22366,7 +22366,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22559,7 +22559,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22752,7 +22752,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22942,8 +22942,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23117,8 +23117,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23292,8 +23292,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23467,8 +23467,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23642,8 +23642,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -24023,7 +24023,7 @@ "CCI-000068" ], "nist": [ - "CM-6 b", + "CM-6 b.", "IA-7", "AC-17 (2)" ], @@ -24206,7 +24206,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.false", @@ -24768,7 +24768,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25108,7 +25108,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25273,7 +25273,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -25438,7 +25438,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.false", @@ -25603,7 +25603,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25769,8 +25769,8 @@ "CCI-000197" ], "nist": [ - "CM-6 b", - "IA-5 (1) (c)" + "CM-6 b.", + "IA-5 (1) c." ], "severity": "high", "description": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227false", @@ -26108,7 +26108,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -26273,7 +26273,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -26442,10 +26442,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", + "CM-3 f.", "CM-11 (2)", - "CM-5 (1) (a)", - "CM-6 c", + "CM-5 (1) a.", + "CM-6 c.", "CM-5 (1)" ], "severity": "medium", @@ -26639,11 +26639,11 @@ "CCI-000318" ], "nist": [ - "CM-6 c", - "CM-5 (1) (a)", + "CM-6 c.", + "CM-5 (1) a.", "CM-11 (2)", "CM-5 (1)", - "CM-3 f" + "CM-3 f." ], "severity": "medium", "description": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.false", @@ -26840,7 +26840,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -27005,7 +27005,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.false", @@ -27170,7 +27170,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -27327,7 +27327,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -27484,7 +27484,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27641,7 +27641,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27798,7 +27798,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -27987,7 +27987,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -28176,7 +28176,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.false", @@ -28365,7 +28365,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28554,7 +28554,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28743,7 +28743,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -28908,7 +28908,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -29073,7 +29073,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -29234,11 +29234,11 @@ "CCI-000318" ], "nist": [ - "CM-6 c", - "CM-5 (1) (a)", + "CM-6 c.", + "CM-5 (1) a.", "CM-5 (1)", "CM-11 (2)", - "CM-3 f" + "CM-3 f." ], "severity": "high", "description": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false", @@ -29435,7 +29435,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.false", @@ -29600,7 +29600,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.false", @@ -29765,7 +29765,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false", @@ -29930,7 +29930,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.false", @@ -30095,7 +30095,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.false", @@ -30980,7 +30980,7 @@ ] } ], - "sha256": "efeeb5094233e4cb6f935ca8a72121390f4fe5d1b6a727eb27217f42c17cd8c4" + "sha256": "a4f165e62766e83300f8f2f30348910148a3b3e878ec3b6d3f98f35668a675aa" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf.json index 282c2441eb..23e91ff636 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel7-hdf.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:7" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000048" ], "nist": [ - "AC-8 a" + "AC-8 a." ], "severity": "medium", "description": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088false", @@ -193,7 +193,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nRegardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -534,7 +534,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -727,7 +727,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -892,7 +892,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1057,7 +1057,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined.\n\nThe ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.false", @@ -1214,7 +1214,7 @@ "CCI-000057" ], "nist": [ - "AC-11 a" + "AC-11 a." ], "severity": "medium", "description": "A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.false", @@ -1379,7 +1379,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.false", @@ -1536,7 +1536,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.false", @@ -1701,7 +1701,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -1894,7 +1894,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2087,7 +2087,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2280,7 +2280,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2473,7 +2473,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2686,7 +2686,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -2883,7 +2883,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3076,7 +3076,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.false", @@ -3273,7 +3273,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3438,7 +3438,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3603,7 +3603,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.false", @@ -3768,7 +3768,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -3969,7 +3969,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -4126,7 +4126,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4323,7 +4323,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.false", @@ -4480,7 +4480,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.false", @@ -4681,7 +4681,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.false", @@ -4890,7 +4890,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -5220,7 +5220,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.false", @@ -5759,7 +5759,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -5960,7 +5960,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6125,7 +6125,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6290,7 +6290,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -6455,7 +6455,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Failure to restrict system access to authenticated users negatively impacts operating system security.false", @@ -7437,7 +7437,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -7602,7 +7602,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.false", @@ -8265,7 +8265,7 @@ ], "nist": [ "IA-3", - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false", @@ -8598,7 +8598,7 @@ ], "nist": [ "IA-3", - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.\n\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227false", @@ -8944,7 +8944,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -9140,7 +9140,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.false", @@ -9470,7 +9470,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -9635,7 +9635,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -9800,7 +9800,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.\n\nIn addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.false", @@ -9957,7 +9957,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -10122,7 +10122,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -10287,7 +10287,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.\n\nThe only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.false", @@ -10452,7 +10452,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the owner of the \"cron.allow\" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.false", @@ -10617,7 +10617,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If the group owner of the \"cron.allow\" file is not set to root, sensitive information could be viewed or edited by unauthorized users.false", @@ -10782,7 +10782,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -10947,7 +10947,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11112,7 +11112,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11269,7 +11269,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -11439,7 +11439,7 @@ "nist": [ "SC-28", "AC-17 (2)", - "SC-13 b", + "SC-13 b.", "SC-28 (1)" ], "severity": "high", @@ -11629,7 +11629,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.false", @@ -11795,8 +11795,8 @@ "CCI-000131" ], "nist": [ - "AU-2 c", - "AU-3 b" + "AU-2 c.", + "AU-3 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\nSatisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096false", @@ -11969,7 +11969,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023false", @@ -13736,8 +13736,8 @@ "CCI-000126" ], "nist": [ - "AU-12 c", - "AU-2 c" + "AU-12 c.", + "AU-2 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -13911,8 +13911,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14086,8 +14086,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14261,8 +14261,8 @@ "CCI-000172" ], "nist": [ - "AU-2 c", - "AU-12 c" + "AU-2 c.", + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219false", @@ -14435,7 +14435,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14600,7 +14600,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14765,7 +14765,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -14930,7 +14930,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15095,7 +15095,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15260,7 +15260,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15425,7 +15425,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15590,7 +15590,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15755,7 +15755,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033false", @@ -15921,8 +15921,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16096,8 +16096,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16271,8 +16271,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16446,8 +16446,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16621,8 +16621,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16796,8 +16796,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172false", @@ -16971,8 +16971,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17146,8 +17146,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17321,8 +17321,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17496,8 +17496,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209false", @@ -17664,9 +17664,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "AU-2 c", - "MA-4 (1) (a)" + "AU-12 c.", + "AU-2 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -17849,9 +17849,9 @@ "CCI-002884" ], "nist": [ - "AU-2 c", - "AU-12 c", - "MA-4 (1) (a)" + "AU-2 c.", + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218false", @@ -18034,9 +18034,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18220,8 +18220,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18404,9 +18404,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18590,8 +18590,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18774,9 +18774,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -18961,9 +18961,9 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "AU-3 a", - "MA-4 (1) (a)" + "AU-12 c.", + "AU-3 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19155,10 +19155,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19350,10 +19350,10 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "AU-3 a", - "MA-4 (1) (a)" + "AU-3 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19545,10 +19545,10 @@ "CCI-002884" ], "nist": [ - "AU-3 a", + "AU-3 a.", "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19740,10 +19740,10 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "AU-3 a", - "MA-4 (1) (a)" + "AU-3 a.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19934,7 +19934,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20109,7 +20109,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20284,7 +20284,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20459,7 +20459,7 @@ ], "nist": [ "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172false", @@ -20635,8 +20635,8 @@ ], "nist": [ "AU-3 (1)", - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -20819,9 +20819,9 @@ "CCI-002884" ], "nist": [ - "AU-12 c", + "AU-12 c.", "AU-3 (1)", - "MA-4 (1) (a)" + "MA-4 (1) a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215false", @@ -21002,7 +21002,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.false", @@ -21167,7 +21167,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21324,7 +21324,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21489,7 +21489,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21654,7 +21654,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21819,7 +21819,7 @@ "CCI-000172" ], "nist": [ - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -21980,7 +21980,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221false", @@ -22173,7 +22173,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22366,7 +22366,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22559,7 +22559,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22752,7 +22752,7 @@ ], "nist": [ "AC-2 (4)", - "AU-12 c" + "AU-12 c." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).false", @@ -22942,8 +22942,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23117,8 +23117,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23292,8 +23292,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23467,8 +23467,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -23642,8 +23642,8 @@ "CCI-002884" ], "nist": [ - "AU-12 c", - "MA-4 (1) (a)" + "AU-12 c.", + "MA-4 (1) a." ], "severity": "medium", "description": "If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.\n\nWhen a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172false", @@ -24023,7 +24023,7 @@ "CCI-000068" ], "nist": [ - "CM-6 b", + "CM-6 b.", "IA-7", "AC-17 (2)" ], @@ -24206,7 +24206,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.false", @@ -24768,7 +24768,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25108,7 +25108,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25273,7 +25273,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -25438,7 +25438,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.false", @@ -25603,7 +25603,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -25769,8 +25769,8 @@ "CCI-000197" ], "nist": [ - "CM-6 b", - "IA-5 (1) (c)" + "CM-6 b.", + "IA-5 (1) c." ], "severity": "high", "description": "SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.\n\nSatisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227false", @@ -26108,7 +26108,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -26273,7 +26273,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -26442,10 +26442,10 @@ "CCI-001814" ], "nist": [ - "CM-3 f", + "CM-3 f.", "CM-11 (2)", - "CM-5 (1) (a)", - "CM-6 c", + "CM-5 (1) a.", + "CM-6 c.", "CM-5 (1)" ], "severity": "medium", @@ -26639,11 +26639,11 @@ "CCI-000318" ], "nist": [ - "CM-6 c", - "CM-5 (1) (a)", + "CM-6 c.", + "CM-5 (1) a.", "CM-11 (2)", "CM-5 (1)", - "CM-3 f" + "CM-3 f." ], "severity": "medium", "description": "Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.false", @@ -26840,7 +26840,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -27005,7 +27005,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.false", @@ -27170,7 +27170,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -27327,7 +27327,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -27484,7 +27484,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27641,7 +27641,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -27798,7 +27798,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -27987,7 +27987,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.false", @@ -28176,7 +28176,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.false", @@ -28365,7 +28365,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28554,7 +28554,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -28743,7 +28743,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -28908,7 +28908,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.false", @@ -29073,7 +29073,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -29234,11 +29234,11 @@ "CCI-000318" ], "nist": [ - "CM-6 c", - "CM-5 (1) (a)", + "CM-6 c.", + "CM-5 (1) a.", "CM-5 (1)", "CM-11 (2)", - "CM-3 f" + "CM-3 f." ], "severity": "high", "description": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false", @@ -29435,7 +29435,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.false", @@ -29600,7 +29600,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.false", @@ -29765,7 +29765,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false", @@ -29930,7 +29930,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.false", @@ -30095,7 +30095,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.false", @@ -30980,7 +30980,7 @@ ] } ], - "sha256": "efeeb5094233e4cb6f935ca8a72121390f4fe5d1b6a727eb27217f42c17cd8c4" + "sha256": "a4f165e62766e83300f8f2f30348910148a3b3e878ec3b6d3f98f35668a675aa" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf-withraw.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf-withraw.json index 49f3d7e33f..a7fe0c1d4d 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf-withraw.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:8" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.false", @@ -302,7 +302,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.false", @@ -439,7 +439,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -576,7 +576,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -1809,7 +1809,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -1946,7 +1946,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2083,7 +2083,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2220,7 +2220,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2357,7 +2357,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2494,7 +2494,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2631,7 +2631,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.false", @@ -4823,7 +4823,7 @@ "CCI-002696" ], "nist": [ - "SI-6 a" + "SI-6 a." ], "severity": "medium", "description": "Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false", @@ -4960,7 +4960,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \"shosts.equiv\" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5097,7 +5097,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \".shosts\" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5234,7 +5234,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -5371,7 +5371,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -5508,7 +5508,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -5645,7 +5645,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -5782,7 +5782,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -5919,7 +5919,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.false", @@ -6056,7 +6056,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6193,7 +6193,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6330,7 +6330,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6467,7 +6467,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6741,7 +6741,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -6878,7 +6878,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -7015,7 +7015,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7152,7 +7152,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.false", @@ -7289,7 +7289,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7426,7 +7426,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7563,7 +7563,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7700,7 +7700,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -7837,7 +7837,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -7974,7 +7974,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8111,7 +8111,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8248,7 +8248,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -8385,7 +8385,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH environment options potentially allow users to bypass access restriction in some configurations.false", @@ -8522,7 +8522,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8659,7 +8659,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8796,7 +8796,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8933,7 +8933,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9070,7 +9070,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9207,7 +9207,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9344,7 +9344,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9481,7 +9481,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9618,7 +9618,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9755,7 +9755,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9892,7 +9892,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10029,7 +10029,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10303,7 +10303,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10440,7 +10440,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10577,7 +10577,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "low", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10714,7 +10714,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nNote the value of \"retry\" set in these configuration files should be between \"1\" and \"3\". Manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -10851,7 +10851,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -10988,7 +10988,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11125,7 +11125,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11262,7 +11262,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.false", @@ -11399,7 +11399,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.false", @@ -11536,7 +11536,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).false", @@ -11673,7 +11673,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"difok\" option sets the number of characters in a password that must not be present in the old password.false", @@ -11810,7 +11810,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -11947,7 +11947,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -12084,7 +12084,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12221,7 +12221,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12358,7 +12358,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 utilizes \"pwquality\" consecutively as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -12495,7 +12495,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\nThe \"minlen\", sometimes noted as minimum length, acts as a \"score\" of complexity based on the credit components of the \"pwquality\" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total \"score\" of \"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12632,7 +12632,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12769,7 +12769,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nRHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.false", @@ -12906,7 +12906,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that to require special characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -13043,7 +13043,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.false", @@ -13180,7 +13180,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -13317,7 +13317,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -13454,7 +13454,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -13591,7 +13591,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -13865,7 +13865,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14002,7 +14002,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14139,7 +14139,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14276,7 +14276,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14413,7 +14413,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.false", @@ -14687,7 +14687,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nEnriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.false", @@ -14824,7 +14824,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -14961,7 +14961,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -15098,7 +15098,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15235,7 +15235,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15372,7 +15372,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15509,7 +15509,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15646,7 +15646,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15783,7 +15783,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15920,7 +15920,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16057,7 +16057,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000476-GPOS-00221false", @@ -16194,7 +16194,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16331,7 +16331,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16468,7 +16468,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16605,7 +16605,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16742,7 +16742,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16879,7 +16879,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220false", @@ -17016,7 +17016,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"su\" command allows a user to run commands with a substitute user and group ID.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -17153,7 +17153,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17290,7 +17290,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Removexattr\" is a system call that removes extended attributes.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17427,7 +17427,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17564,7 +17564,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The auid representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17701,7 +17701,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17838,7 +17838,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chage\" command is used to change or view user password expiry information.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -17975,7 +17975,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chcon\" command is used to change file SELinux security context.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -18112,7 +18112,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Setxattr\" is a system call used to set an extended attribute value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18249,7 +18249,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-agent\" is a program to hold private keys used for public key authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18386,7 +18386,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"passwd\" command is used to change passwords for user accounts.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18523,7 +18523,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" command is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18660,7 +18660,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"umount\" command is used to unmount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18797,7 +18797,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" syscall is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18934,7 +18934,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \"Unix_update\" is a helper program for the \"pam_unix\" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19071,7 +19071,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postdrop\" command creates a file in the maildrop directory and copies its standard input to the file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19208,7 +19208,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postqueue\" command implements the Postfix user interface for queue management.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19345,7 +19345,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"semanage\" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19482,7 +19482,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setfiles\" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling).\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19619,7 +19619,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"userhelper\" command is not intended to be run interactively. \"Userhelper\" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19756,7 +19756,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setsebool\" command sets the current state of a particular SELinux boolean or a list of booleans to a given value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19893,7 +19893,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"unix_chkpwd\" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20030,7 +20030,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-keysign\" program is an SSH helper program for host-based authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20167,7 +20167,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"setfacl\" command is used to set file access control lists.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20304,7 +20304,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"pam_timestamp_check\" command is used to check if the default timestamp is valid.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20441,7 +20441,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"newgrp\" command is used to change the current group ID during a login session.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20578,7 +20578,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20715,7 +20715,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" command will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20852,7 +20852,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"renameat\" command renames a file, moving it between directories if required.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20989,7 +20989,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rmdir\" command removes empty directories.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21126,7 +21126,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlink\" command deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21263,7 +21263,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21400,7 +21400,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"gpasswd\" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21537,7 +21537,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"finit_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21674,7 +21674,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"delete_module\" command is used to unload a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21811,7 +21811,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"crontab\" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21948,7 +21948,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chsh\" command is used to change the login shell.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -22085,7 +22085,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22222,7 +22222,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"openat\" system call opens a file specified by a relative pathname.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22359,7 +22359,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"open system\" call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22496,7 +22496,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of openat into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22633,7 +22633,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22770,7 +22770,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"creat\" system call is used to open and possibly create a file or device.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22907,7 +22907,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23044,7 +23044,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" command changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23181,7 +23181,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23318,7 +23318,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23455,7 +23455,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23592,7 +23592,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23729,7 +23729,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmod\" system call is used to change permissions of a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23866,7 +23866,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"sudo\" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24003,7 +24003,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"usermod\" command modifies the system account files to reflect the changes that are specified on the command line.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24140,7 +24140,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chacl\" command is used to change the access control list of a file or directory.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24277,7 +24277,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"kmod\" command is used to control Linux Kernel modules.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -24414,7 +24414,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218false", @@ -24551,7 +24551,7 @@ "CCI-000171" ], "nist": [ - "AU-12 b" + "AU-12 b." ], "severity": "medium", "description": "Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.false", @@ -24688,7 +24688,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.false", @@ -24825,7 +24825,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -24962,7 +24962,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -25099,7 +25099,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25236,7 +25236,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"rsyslog-gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25647,7 +25647,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25784,7 +25784,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25921,7 +25921,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -26058,7 +26058,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26195,7 +26195,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26332,7 +26332,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.\n\nSatisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042false", @@ -26469,7 +26469,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation.false", @@ -26606,7 +26606,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation.false", @@ -26743,7 +26743,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.false", @@ -26880,7 +26880,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation.false", @@ -27017,7 +27017,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the server.\n\nCompressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.false", @@ -27154,7 +27154,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation.false", @@ -29894,7 +29894,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false", @@ -30031,7 +30031,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false", @@ -30168,7 +30168,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -30305,7 +30305,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -30442,7 +30442,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.false", @@ -30579,7 +30579,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.false", @@ -30716,7 +30716,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false", @@ -30853,7 +30853,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false", @@ -30990,7 +30990,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false", @@ -31127,7 +31127,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.false", @@ -31264,7 +31264,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.false", @@ -31401,7 +31401,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.false", @@ -31538,7 +31538,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -31675,7 +31675,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -31812,7 +31812,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -31949,7 +31949,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -32086,7 +32086,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nUser namespaces are used primarily for Linux container. The value 0 disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When containers are deployed on a system, the value should be set to a large non-zero value. The default value is 7182.false", @@ -32223,7 +32223,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling reverse path filtering drops packets with source addresses that are not routable. There is not an equivalent filter for IPv6 traffic.false", @@ -32360,7 +32360,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.false", @@ -32497,7 +32497,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a \"no\" setting.\n\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.false", @@ -32634,7 +32634,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.false", @@ -32771,7 +32771,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.false", @@ -32908,7 +32908,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -33045,7 +33045,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.false", @@ -33182,7 +33182,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.false", @@ -33319,7 +33319,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.false", @@ -33593,7 +33593,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.false", @@ -33999,7 +33999,7 @@ ] } ], - "sha256": "b0acbbf432fa4acdce7d90d120ec022e021bb7b38103cad4aad9d52d36d8c055" + "sha256": "3ebce3f983a4ae5213d34eab016acec6863ddf95f4107dce046d70be7e90ede2" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf.json b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf.json index fbb5484564..818606fec1 100644 --- a/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf.json +++ b/libs/hdf-converters/sample_jsons/xccdf_results_mapper/xccdf-scc-rhel8-hdf.json @@ -1,10 +1,10 @@ { "platform": { "name": "Heimdall Tools", - "release": "2.8.1", + "release": "2.10.20", "target_id": "cpe:/o:redhat:enterprise_linux:8" }, - "version": "2.8.1", + "version": "2.10.20", "statistics": {}, "profiles": [ { @@ -28,7 +28,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata.false", @@ -302,7 +302,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nUnapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.false", @@ -439,7 +439,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -576,7 +576,7 @@ "CCI-000196" ], "nist": [ - "IA-5 (1) (c)" + "IA-5 (1) c." ], "severity": "medium", "description": "The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy.\n\nPasswords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.false", @@ -1809,7 +1809,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -1946,7 +1946,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2083,7 +2083,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2220,7 +2220,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2357,7 +2357,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2494,7 +2494,7 @@ "CCI-001314" ], "nist": [ - "SI-11 b" + "SI-11 b." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.false", @@ -2631,7 +2631,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems.\n\nThe SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.false", @@ -4823,7 +4823,7 @@ "CCI-002696" ], "nist": [ - "SI-6 a" + "SI-6 a." ], "severity": "medium", "description": "Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.\n\nThis requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.false", @@ -4960,7 +4960,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \"shosts.equiv\" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5097,7 +5097,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The \".shosts\" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false", @@ -5234,7 +5234,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If a public host key file is modified by an unauthorized user, the SSH service may be compromised.false", @@ -5371,7 +5371,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If an unauthorized user obtains the private SSH host key file, the host could be impersonated.false", @@ -5508,7 +5508,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.false", @@ -5645,7 +5645,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.false", @@ -5782,7 +5782,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.false", @@ -5919,7 +5919,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere.false", @@ -6056,7 +6056,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6193,7 +6193,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6330,7 +6330,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6467,7 +6467,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.false", @@ -6741,7 +6741,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -6878,7 +6878,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring RHEL 8 to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -7015,7 +7015,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7152,7 +7152,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the /dev directory located on the root partition.false", @@ -7289,7 +7289,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"noexec\" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7426,7 +7426,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7563,7 +7563,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The \"nosuid\" mount option causes the system not to execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.false", @@ -7700,7 +7700,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -7837,7 +7837,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -7974,7 +7974,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8111,7 +8111,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nA core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.false", @@ -8248,7 +8248,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.false", @@ -8385,7 +8385,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "SSH environment options potentially allow users to bypass access restriction in some configurations.false", @@ -8522,7 +8522,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8659,7 +8659,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8796,7 +8796,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -8933,7 +8933,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9070,7 +9070,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9207,7 +9207,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9344,7 +9344,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9481,7 +9481,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9618,7 +9618,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9755,7 +9755,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -9892,7 +9892,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nRHEL 8 can utilize the \"pam_faillock.so\" for this purpose. Note that manual changes to the listed files may be overwritten by the \"authselect\" program.\n\nFrom \"Pam_Faillock\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10029,7 +10029,7 @@ "CCI-000044" ], "nist": [ - "AC-7 a" + "AC-7 a." ], "severity": "medium", "description": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nIn RHEL 8.2 the \"/etc/security/faillock.conf\" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a \"local_users_only\" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.\n\nFrom \"faillock.conf\" man pages: Note that the default directory that \"pam_faillock\" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the \"dir\" option.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128false", @@ -10303,7 +10303,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10440,7 +10440,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "medium", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10577,7 +10577,7 @@ "CCI-000056" ], "nist": [ - "AC-11 b" + "AC-11 b." ], "severity": "low", "description": "A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.\n\nTmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package.\n\nSatisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011false", @@ -10714,7 +10714,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth\n\nNote the value of \"retry\" set in these configuration files should be between \"1\" and \"3\". Manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -10851,7 +10851,7 @@ "CCI-000192" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require uppercase characters, without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -10988,7 +10988,7 @@ "CCI-000193" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes pwquality as a mechanism to enforce password complexity. Note that in order to require lower-case characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11125,7 +11125,7 @@ "CCI-000194" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that in order to require numeric characters, without degrading the minlen value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -11262,7 +11262,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password.false", @@ -11399,7 +11399,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password.false", @@ -11536,7 +11536,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).false", @@ -11673,7 +11673,7 @@ "CCI-000195" ], "nist": [ - "IA-5 (1) (b)" + "IA-5 (1) b." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. The \"difok\" option sets the number of characters in a password that must not be present in the old password.false", @@ -11810,7 +11810,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -11947,7 +11947,7 @@ "CCI-000198" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.false", @@ -12084,7 +12084,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12221,7 +12221,7 @@ "CCI-000199" ], "nist": [ - "IA-5 (1) (d)" + "IA-5 (1) d." ], "severity": "medium", "description": "Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If RHEL 8 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that RHEL 8 passwords could be compromised.false", @@ -12358,7 +12358,7 @@ "CCI-000200" ], "nist": [ - "IA-5 (1) (e)" + "IA-5 (1) e." ], "severity": "medium", "description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.\n\nRHEL 8 utilizes \"pwquality\" consecutively as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth.\n\nNote that manual changes to the listed files may be overwritten by the \"authselect\" program.false", @@ -12495,7 +12495,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Configurations are set in the \"etc/security/pwquality.conf\" file.\n\nThe \"minlen\", sometimes noted as minimum length, acts as a \"score\" of complexity based on the credit components of the \"pwquality\" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total \"score\" of \"minlen\". This will enable \"minlen\" to require a 15-character minimum.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12632,7 +12632,7 @@ "CCI-000205" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nThe DoD minimum password requirement is 15 characters.false", @@ -12769,7 +12769,7 @@ "CCI-000795" ], "nist": [ - "IA-4 e" + "IA-4 e." ], "severity": "medium", "description": "Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nRHEL 8 needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.false", @@ -12906,7 +12906,7 @@ "CCI-001619" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) a." ], "severity": "medium", "description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. Note that to require special characters without degrading the \"minlen\" value, the credit value must be expressed as a negative number in \"/etc/security/pwquality.conf\".false", @@ -13043,7 +13043,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If RHEL 8 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses, and brute-force attacks.false", @@ -13180,7 +13180,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.false", @@ -13317,7 +13317,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.false", @@ -13454,7 +13454,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.false", @@ -13591,7 +13591,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.false", @@ -13865,7 +13865,7 @@ "CCI-000139" ], "nist": [ - "AU-5 a" + "AU-5 a." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14002,7 +14002,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.\n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.\n\nThis requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.false", @@ -14139,7 +14139,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows:\n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14276,7 +14276,7 @@ "CCI-000140" ], "nist": [ - "AU-5 b" + "AU-5 b." ], "severity": "medium", "description": "It is critical that when RHEL 8 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, RHEL 8 must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, RHEL 8 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.false", @@ -14413,7 +14413,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.false", @@ -14687,7 +14687,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "low", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nEnriched logging aids in making sense of who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult.false", @@ -14824,7 +14824,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -14961,7 +14961,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084false", @@ -15098,7 +15098,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15235,7 +15235,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15372,7 +15372,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15509,7 +15509,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15646,7 +15646,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15783,7 +15783,7 @@ "CCI-000162" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029false", @@ -15920,7 +15920,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16057,7 +16057,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000476-GPOS-00221false", @@ -16194,7 +16194,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16331,7 +16331,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16468,7 +16468,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16605,7 +16605,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16742,7 +16742,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, CCI-002884, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221false", @@ -16879,7 +16879,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in RHEL 8 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured RHEL 8 system.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220false", @@ -17016,7 +17016,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"su\" command allows a user to run commands with a substitute user and group ID.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -17153,7 +17153,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17290,7 +17290,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Removexattr\" is a system call that removes extended attributes.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17427,7 +17427,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Lsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a symbolic link.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17564,7 +17564,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fsetxattr\" is a system call used to set an extended attribute value. This is used to set extended attributes on a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The auid representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219false", @@ -17701,7 +17701,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Fremovexattr\" is a system call that removes extended attributes. This is used for removal of extended attributes from a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210false", @@ -17838,7 +17838,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chage\" command is used to change or view user password expiry information.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -17975,7 +17975,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chcon\" command is used to change file SELinux security context.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215false", @@ -18112,7 +18112,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). \"Setxattr\" is a system call used to set an extended attribute value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18249,7 +18249,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-agent\" is a program to hold private keys used for public key authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18386,7 +18386,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"passwd\" command is used to change passwords for user accounts.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18523,7 +18523,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" command is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18660,7 +18660,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"umount\" command is used to unmount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18797,7 +18797,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" syscall is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -18934,7 +18934,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. \"Unix_update\" is a helper program for the \"pam_unix\" module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19071,7 +19071,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postdrop\" command creates a file in the maildrop directory and copies its standard input to the file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19208,7 +19208,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"postqueue\" command implements the Postfix user interface for queue management.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19345,7 +19345,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"semanage\" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19482,7 +19482,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setfiles\" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling).\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19619,7 +19619,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"userhelper\" command is not intended to be run interactively. \"Userhelper\" provides a basic interface to change a user's password, gecos information, and shell. The main difference between this program and its traditional equivalents (passwd, chfn, chsh) is that prompts are written to standard out to make it easy for a graphical user interface wrapper to interface to it as a child process.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19756,7 +19756,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"setsebool\" command sets the current state of a particular SELinux boolean or a list of booleans to a given value.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -19893,7 +19893,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The \"unix_chkpwd\" command is a helper program for the pam_unix module that verifies the password of the current user. It also checks password and account expiration dates in shadow. It is not intended to be run directly from the command line and logs a security violation if done so.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20030,7 +20030,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"ssh-keysign\" program is an SSH helper program for host-based authentication.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20167,7 +20167,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"setfacl\" command is used to set file access control lists.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20304,7 +20304,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"pam_timestamp_check\" command is used to check if the default timestamp is valid.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20441,7 +20441,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"newgrp\" command is used to change the current group ID during a login session.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20578,7 +20578,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20715,7 +20715,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" command will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20852,7 +20852,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"renameat\" command renames a file, moving it between directories if required.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -20989,7 +20989,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rmdir\" command removes empty directories.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21126,7 +21126,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlink\" command deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21263,7 +21263,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21400,7 +21400,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"gpasswd\" command is used to administer /etc/group and /etc/gshadow. Every group can have administrators, members and a password.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21537,7 +21537,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"finit_module\" command is used to load a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21674,7 +21674,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"delete_module\" command is used to unload a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21811,7 +21811,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"crontab\" command is used to maintain crontab files for individual users. Crontab is the program used to install, remove, or list the tables used to drive the cron daemon. This is similar to the task scheduler used in other operating systems.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -21948,7 +21948,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chsh\" command is used to change the login shell.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215false", @@ -22085,7 +22085,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length. \n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22222,7 +22222,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"openat\" system call opens a file specified by a relative pathname.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22359,7 +22359,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"open system\" call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22496,7 +22496,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of openat into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22633,7 +22633,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22770,7 +22770,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"creat\" system call is used to open and possibly create a file or device.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033false", @@ -22907,7 +22907,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chown\" command is used to change file owner and group.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23044,7 +23044,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" command changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23181,7 +23181,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"lchown\" system call is used to change the ownership of the file specified by a path, which does not dereference symbolic links.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23318,7 +23318,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchownat\" system call is used to change ownership of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23455,7 +23455,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchown\" system call is used to change the ownership of a file referred to by the open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23592,7 +23592,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23729,7 +23729,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"fchmod\" system call is used to change permissions of a file.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210false", @@ -23866,7 +23866,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"sudo\" command allows a permitted user to execute a command as the superuser or another user, as specified by the security policy.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24003,7 +24003,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"usermod\" command modifies the system account files to reflect the changes that are specified on the command line.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24140,7 +24140,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chacl\" command is used to change the access control list of a file or directory.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210false", @@ -24277,7 +24277,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"kmod\" command is used to control Linux Kernel modules.\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222false", @@ -24414,7 +24414,7 @@ "CCI-000169" ], "nist": [ - "AU-12 a" + "AU-12 a." ], "severity": "medium", "description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which RHEL 8 will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.\n\nSatisfies: SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218false", @@ -24551,7 +24551,7 @@ "CCI-000171" ], "nist": [ - "AU-12 b" + "AU-12 b." ], "severity": "medium", "description": "Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.false", @@ -24688,7 +24688,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.false", @@ -24825,7 +24825,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -24962,7 +24962,7 @@ "CCI-001493" ], "nist": [ - "AU-9 a" + "AU-9 a." ], "severity": "medium", "description": "Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information.\n\nRHEL 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099false", @@ -25099,7 +25099,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25236,7 +25236,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nRHEL 8 installation media provides \"rsyslogd\". \"rsyslogd\" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with \"rsyslog-gnutls\" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.\n\nRsyslog provides three ways to forward message: the traditional UDP transport, which is extremely lossy but standard; the plain TCP based transport, which loses messages only during certain situations but is widely available; and the RELP transport, which does not lose messages but is currently available only as part of the rsyslogd 3.15.0 and above.\nExamples of each configuration:\nUDP *.* @remotesystemname\nTCP *.* @@remotesystemname\nRELP *.* :omrelp:remotesystemname:2514\nNote that a port number was given as there is no standard port for RELP.false", @@ -25647,7 +25647,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nMinimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25784,7 +25784,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nNot exposing the management interface of the chrony daemon on the network diminishes the attack space.\n\nRHEL 8 utilizes the \"timedatectl\" command to view the status of the \"systemd-timesyncd.service\". The \"timedatectl\" status will display the local time, UTC, and the offset from UTC.\n\nNote that USNO offers authenticated NTP service to DoD and U.S. Government agencies operating on the NIPR and SIPR networks. Visit https://www.usno.navy.mil/USNO/time/ntp/dod-customers for more information.false", @@ -25921,7 +25921,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.\n\nThe telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.false", @@ -26058,7 +26058,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26195,7 +26195,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nExamples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.\n\nVerify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.false", @@ -26332,7 +26332,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "high", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.\n\nIf a privileged user were to log on using this service, the privileged user password could be compromised.\n\nSatisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000074-GPOS-00042false", @@ -26469,7 +26469,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. Disabling ATM protects the system against exploitation of any laws in its implementation.false", @@ -26606,7 +26606,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Controller Area Network (CAN) is a serial communications protocol, which was initially developed for automotive and is now also used in marine, industrial, and medical applications. Disabling CAN protects the system against exploitation of any flaws in its implementation.false", @@ -26743,7 +26743,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.false", @@ -26880,7 +26880,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nFailing to disconnect unused protocols can result in a system compromise.\n\nThe Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. Disabling TIPC protects the system against exploitation of any flaws in its implementation.false", @@ -27017,7 +27017,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nRemoving support for unneeded filesystem types reduces the local attack surface of the server.\n\nCompressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.false", @@ -27154,7 +27154,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "low", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nThe IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. Disabling FireWire protects the system against exploitation of any flaws in its implementation.false", @@ -29894,7 +29894,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.false", @@ -30031,7 +30031,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.false", @@ -30168,7 +30168,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "If an account other than root also has a User Identifier (UID) of \"0\", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of \"0\" afford an opportunity for potential intruders to guess a password for a privileged account.false", @@ -30305,7 +30305,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -30442,7 +30442,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.false", @@ -30579,7 +30579,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Responding to broadcast ICMP echoes facilitates network mapping and provides a vector for amplification attacks.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6 does not implement the same method of broadcast as IPv4. Instead, IPv6 uses multicast addressing to the all-hosts multicast group. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.false", @@ -30716,7 +30716,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false", @@ -30853,7 +30853,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.false", @@ -30990,7 +30990,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.false", @@ -31127,7 +31127,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.false", @@ -31264,7 +31264,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.\n\nAn illicit router advertisement message could result in a man-in-the-middle attack.false", @@ -31401,7 +31401,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.\n\nThere are notable differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). There is only a directive to disable sending of IPv4 redirected packets. Refer to RFC4294 for an explanation of \"IPv6 Node Requirements\", which resulted in this difference between IPv4 and IPv6.false", @@ -31538,7 +31538,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.false", @@ -31675,7 +31675,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -31812,7 +31812,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -31949,7 +31949,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.false", @@ -32086,7 +32086,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nUser namespaces are used primarily for Linux container. The value 0 disallows the use of user namespaces. When containers are not in use, namespaces should be disallowed. When containers are deployed on a system, the value should be set to a large non-zero value. The default value is 7182.false", @@ -32223,7 +32223,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nEnabling reverse path filtering drops packets with source addresses that are not routable. There is not an equivalent filter for IPv6 traffic.false", @@ -32360,7 +32360,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.false", @@ -32497,7 +32497,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a \"no\" setting.\n\nX11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.\n\nIf X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.false", @@ -32634,7 +32634,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.false", @@ -32771,7 +32771,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.false", @@ -32908,7 +32908,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "high", "description": "The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.false", @@ -33045,7 +33045,7 @@ "CCI-000381" ], "nist": [ - "CM-7 a" + "CM-7 a." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS.false", @@ -33182,7 +33182,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.false", @@ -33319,7 +33319,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.\n\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nThe tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations.false", @@ -33593,7 +33593,7 @@ "CCI-000366" ], "nist": [ - "CM-6 b" + "CM-6 b." ], "severity": "medium", "description": "The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the \"sudoers\" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.false", @@ -33999,7 +33999,7 @@ ] } ], - "sha256": "b0acbbf432fa4acdce7d90d120ec022e021bb7b38103cad4aad9d52d36d8c055" + "sha256": "3ebce3f983a4ae5213d34eab016acec6863ddf95f4107dce046d70be7e90ede2" } ], "passthrough": { diff --git a/libs/hdf-converters/src/xccdf-results-mapper.ts b/libs/hdf-converters/src/xccdf-results-mapper.ts index 4bb3057da2..6480892187 100644 --- a/libs/hdf-converters/src/xccdf-results-mapper.ts +++ b/libs/hdf-converters/src/xccdf-results-mapper.ts @@ -1,4 +1,4 @@ -import {ExecJSON} from 'inspecjs'; +import {ExecJSON, is_control, NistControl, parse_nist} from 'inspecjs'; import * as _ from 'lodash'; import {version as HeimdallToolsVersion} from '../package.json'; import { @@ -146,8 +146,31 @@ function extractCci(input: IIdent | IIdent[]): string[] { return output; } +function extractNist(input: IIdent | IIdent[]): string[] { + const inputArray = asArray(input); + return inputArray + .map((element) => + _.get( + element, + 'text', + '' // Rules may not always contain references. + ) + ) + .map(parse_nist) + .filter(is_control) + .flatMap((c) => c.canonize() || []); +} + function nistTag(input: IIdent | IIdent[]): string[] { - return CCI2NIST(extractCci(input), DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS); + // The XCCDF results input file might already contain some NIST tags. + const existingNists = extractNist(input); + + // It might also have CCI tags adjacent to the NIST tags. + const ccis = extractCci(input); + const nistsFromMappedCcis = CCI2NIST(ccis, []); + + const nists = _.uniq([...existingNists, ...nistsFromMappedCcis]); + return nists.length > 0 ? nists : DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS; } /** @@ -307,7 +330,7 @@ export class XCCDFResultsMapper extends BaseConverter { transformer: extractCci }, nist: { - path: ['ident', 'reference'], + path: ['ident', 'reference'], // WIP: figure out why reference isn't being pulled transformer: nistTag }, severity: {path: 'severity'},