Guide to the Secure Configuration of Ubuntu 18.04
with profile Profile for ANSSI DAT-NT28 High (Enforced) LevelThis profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
Target machine | test |
---|---|
Benchmark URL | /tmp/tmp.Mh8Q1VxCCG |
Benchmark ID | xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC |
Profile ID | xccdf_org.ssgproject.content_profile_anssi_np_nt28_high |
Started at | 2020-07-31T14:15:19 |
Finished at | 2020-07-31T14:15:19 |
Performed by | scheesman |
CPE Platforms
- cpe:/o:canonical:ubuntu_linux:18.04
Addresses
- IPv4 127.0.0.1
- IPv4 10.1.201.221
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fd00:2704:0:0:250:56ff:fea5:acb
- IPv6 fe80:0:0:0:250:56ff:fea5:acb
- MAC 00:00:00:00:00:00
- MAC 00:50:56:A5:0A:CB
Compliance and Scoring
Rule results
Severity of failed rules
Score
Scoring system | Score | Maximum | Percent |
---|---|---|---|
urn:xccdf:scoring:default | 49.625000 | 100.000000 |
Rule Overview
Result Details
Ensure the audit Subsystem is Installed
Rule ID | xccdf_org.ssgproject.content_rule_package_audit_installed |
Result | notchecked |
Time | 2020-07-31T14:15:19 |
Severity | medium |
Identifiers and References | References: AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), NT28(R50), SRG-OS-000480-GPOS-00227, SRG-OS-000122-GPOS-00063 |
Description | The audit package should be installed. |
Rationale | The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. |
Enable auditd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_auditd_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | pass | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: 5.4.1.1, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-001464, CCI-001487, CCI-001814, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.1, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000365-GPOS-00152, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl enable auditd.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Without establishing what type of events occurred, it would be difficult
to establish, correlate, and investigate the events leading up to an outage or attack.
Ensuring the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details package auditd is installed passed because of these items:
Test that the auditd service is running passed because of these items:
systemd test passed because of these items:
systemd test passed because of these items:
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate | ||||||||||||||
Result | error | ||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: NT28(R5), NT28(R59), CCI-002038, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 | ||||||||||||||
Description | The sudo | ||||||||||||||
Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
| ||||||||||||||
OVAL details !authenticate does not exist in /etc/sudoers failed because these items were missing:Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
!authenticate does not exist in /etc/sudoers.d failed because these items were missing:Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
|
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd | ||||||||||||||
Result | error | ||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: NT28(R5), NT28(R59), CCI-002038, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5 | ||||||||||||||
Description | The sudo | ||||||||||||||
Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
| ||||||||||||||
OVAL details NOPASSWD does not exist /etc/sudoers failed because these items were missing:Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
NOPASSWD does not exist in /etc/sudoers.d failed because these items were missing:Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object
|
Ensure /var/log/audit Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit | ||
Result | fail | ||
Time | 2020-07-31T14:15:19 | ||
Severity | low | ||
Identifiers and References | References: 1.1.11, CCI-000366, CCI-001849, 164.312(a)(2)(ii), A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8 | ||
Description | Audit logs are stored in the | ||
Rationale | Placing | ||
OVAL details /var/log/audit on own partition failed because these items were missing:Object oval:ssg-object_mount_var_log_audit_own_partition:obj:1 of type partition_object
|
Ensure /home Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home | ||
Result | fail | ||
Time | 2020-07-31T14:15:19 | ||
Severity | low | ||
Identifiers and References | References: NT28(R12), 1.1.12, CCI-000366, CCI-001208, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8 | ||
Description | If user home directories will be stored locally, create a separate partition
for | ||
Rationale | Ensuring that | ||
OVAL details /home on own partition failed because these items were missing:Object oval:ssg-object_mount_home_own_partition:obj:1 of type partition_object
|
Ensure /var/log Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log | ||
Result | fail | ||
Time | 2020-07-31T14:15:19 | ||
Severity | medium | ||
Identifiers and References | References: NT28(R12), NT28(R47), 1.1.10, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, 1, 12, 14, 15, 16, 3, 5, 6, 8, SRG-OS-000480-GPOS-00227 | ||
Description | System logs are stored in the | ||
Rationale | Placing | ||
OVAL details /var/log on own partition failed because these items were missing:Object oval:ssg-object_mount_var_log_own_partition:obj:1 of type partition_object
|
Ensure /tmp Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp | ||
Result | fail | ||
Time | 2020-07-31T14:15:19 | ||
Severity | low | ||
Identifiers and References | References: NT28(R12), 1.1.2, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8 | ||
Description | The | ||
Rationale | The | ||
OVAL details /tmp on own partition failed because these items were missing:Object oval:ssg-object_mount_tmp_own_partition:obj:1 of type partition_object
|
Ensure /var Located On Separate Partition
Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var | ||
Result | fail | ||
Time | 2020-07-31T14:15:19 | ||
Severity | low | ||
Identifiers and References | References: NT28(R12), 1.1.5, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8 | ||
Description | The | ||
Rationale | Ensuring that | ||
OVAL details /var on own partition failed because these items were missing:Object oval:ssg-object_mount_var_own_partition:obj:1 of type partition_object
|
IOMMU configuration directive
Rule ID | xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force |
Result | notapplicable |
Time | 2020-07-31T14:15:19 |
Severity | unknown |
Identifiers and References | References: NT28(R11) |
Description | On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. |
Rationale | On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices. |
Ensure Logrotate Runs Periodically
Rule ID | xccdf_org.ssgproject.content_rule_ensure_logrotate_activated | ||||||||||||||
Result | fail | ||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||
Severity | medium | ||||||||||||||
Identifiers and References | References: CCI-000366, CM-6(a), PR.PT-1, Req-10.7, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6, NT28(R43), NT12(R18) | ||||||||||||||
Description | The # rotate log files frequency daily | ||||||||||||||
Rationale | Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. | ||||||||||||||
OVAL details Tests the presence of daily setting in /etc/logrotate.conf file failed because these items were missing:Object oval:ssg-object_logrotate_conf_daily_setting:obj:1 of type textfilecontent54_object
Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility) failed because of these items:
| |||||||||||||||
Remediation Shell script: (show)
| |||||||||||||||
Remediation Ansible snippet: (show)
|
Ensure Log Files Are Owned By Appropriate Group
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership | ||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||
Identifiers and References | References: NT28(R46), NT28(R5), CCI-001314, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||||||||||||||||||||
Description | The group-owner of all log files written by
$ ls -l LOGFILEIf the owner is not adm , run the following command to
correct this:
$ sudo chgrp adm LOGFILE | ||||||||||||||||||||||||||||||
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | ||||||||||||||||||||||||||||||
OVAL details System log files are owned by root group failed because of these items:
|
Ensure Log Files Are Owned By Appropriate User
Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_files_ownership | ||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||||||||||||||||||
Severity | medium | ||||||||||||||||||||||||||||||
Identifiers and References | References: NT28(R46), NT28(R5), CCI-001314, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||||||||||||||||||||
Description | The owner of all log files written by
$ ls -l LOGFILEIf the owner is not adm , run the following command to
correct this:
$ sudo chown adm LOGFILE | ||||||||||||||||||||||||||||||
Rationale | The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. | ||||||||||||||||||||||||||||||
OVAL details System log files are owned by root failed because of these items:
|
Enable Randomized Layout of Virtual Address Space
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space | ||||||||
Result | fail | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, NT28(R23) | ||||||||
Description | To set the runtime status of the $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : kernel.randomize_va_space = 2 | ||||||||
Rationale | Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. | ||||||||
Remediation Ansible snippet: (show)
|
Disable Core Dumps for SUID programs
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable | ||||||||
Result | fail | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), NT28(R23) | ||||||||
Description | To set the runtime status of the $ sudo sysctl -w fs.suid_dumpable=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : fs.suid_dumpable = 0 | ||||||||
Rationale | The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. | ||||||||
Remediation Ansible snippet: (show)
|
Verify Group Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||
Description | To properly set the group owner of $ sudo chgrp shadow /etc/gshadow | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/gshadow passed because of these items:
|
Verify User Who Owns gshadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5, NT28(R36) | ||||||||||||
Description | To properly set the owner of $ sudo chown root /etc/gshadow | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/gshadow passed because of these items:
|
Verify User Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||
Description | To properly set the owner of $ sudo chown root /etc/group | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/group passed because of these items:
|
Verify User Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_shadow | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5, NT28(R36) | ||||||||||||
Description | To properly set the owner of $ sudo chown root /etc/shadow | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/shadow passed because of these items:
|
Verify User Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||
Description | To properly set the owner of $ sudo chown root /etc/passwd | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing user ownership of /etc/passwd passed because of these items:
|
Verify Group Who Owns shadow File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||
Description | To properly set the group owner of $ sudo chgrp shadow /etc/shadow | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/shadow passed because of these items:
|
Verify Group Who Owns passwd File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||
Description | To properly set the group owner of $ sudo chgrp root /etc/passwd | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/passwd passed because of these items:
|
Verify Group Who Owns group File
Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||||||
Description | To properly set the group owner of $ sudo chgrp root /etc/group | ||||||||||||
Rationale | The | ||||||||||||
OVAL details Testing group ownership of /etc/group passed because of these items:
|
Enable Kernel Parameter to Enforce DAC on Symlinks
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks | ||||||||
Result | error | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | unknown | ||||||||
Identifiers and References | References: NT28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125 | ||||||||
Description | To set the runtime status of the $ sudo sysctl -w fs.protected_symlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : fs.protected_symlinks = 1 | ||||||||
Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
| ||||||||
Remediation Ansible snippet: (show)
|
Enable Kernel Parameter to Enforce DAC on Hardlinks
Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks | ||||||||
Result | error | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | unknown | ||||||||
Identifiers and References | References: NT28(R23), 1.6.1, CM-6(a), AC-6(1), SRG-OS-000324-GPOS-00125 | ||||||||
Description | To set the runtime status of the $ sudo sysctl -w fs.protected_hardlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d : fs.protected_hardlinks = 1 | ||||||||
Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of | ||||||||
Remediation Ansible snippet: (show)
|
Uninstall the ntpdate package
Rule ID | xccdf_org.ssgproject.content_rule_package_ntpdate_removed | ||
Result | pass | ||
Time | 2020-07-31T14:15:19 | ||
Severity | low | ||
Identifiers and References | |||
Description | ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled. | ||
Rationale | ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP. | ||
OVAL details package ntpdate is removed passed because these items were not found:Object oval:ssg-obj_test_package_ntpdate_removed:obj:1 of type dpkginfo_object
|
Uninstall the ssl compliant telnet server
Rule ID | xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed | ||
Result | pass | ||
Time | 2020-07-31T14:15:19 | ||
Severity | high | ||
Identifiers and References | References: NT007(R02), CM-7(a), CM-7(b), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||
Description | The | ||
Rationale |
| ||
OVAL details package telnetd-ssl is removed passed because these items were not found:Object oval:ssg-obj_test_package_telnetd-ssl_removed:obj:1 of type dpkginfo_object
|
Uninstall the inet-based telnet server
Rule ID | xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed | ||
Result | pass | ||
Time | 2020-07-31T14:15:19 | ||
Severity | high | ||
Identifiers and References | References: NT007(R03), CM-7(a), CM-7(b), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||
Description | The inet-based telnet daemon should be uninstalled. | ||
Rationale |
| ||
OVAL details package inetutils-telnetd is removed passed because these items were not found:Object oval:ssg-obj_test_package_inetutils-telnetd_removed:obj:1 of type dpkginfo_object
|
Uninstall the nis package
Rule ID | xccdf_org.ssgproject.content_rule_package_nis_removed | ||
Result | pass | ||
Time | 2020-07-31T14:15:19 | ||
Severity | low | ||
Identifiers and References | |||
Description | The support for Yellowpages should not be installed unless it is required. | ||
Rationale | NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. | ||
OVAL details package nis is removed passed because these items were not found:Object oval:ssg-obj_test_package_nis_removed:obj:1 of type dpkginfo_object
|
Uninstall the telnet server
Rule ID | xccdf_org.ssgproject.content_rule_package_telnetd_removed | ||
Result | pass | ||
Time | 2020-07-31T14:15:19 | ||
Severity | high | ||
Identifiers and References | References: NT28(R1), CM-7(a), CM-7(b), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4 | ||
Description | The telnet daemon should be uninstalled. | ||
Rationale |
| ||
OVAL details package telnetd is removed passed because these items were not found:Object oval:ssg-obj_test_package_telnetd_removed:obj:1 of type dpkginfo_object
|
Disable unauthenticated repositories in APT configuration
Rule ID | xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | unknown | ||||||||||||
Identifiers and References | References: NT28(R15) | ||||||||||||
Description | Unauthenticated repositories should not be used for updates. | ||||||||||||
Rationale | Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy. | ||||||||||||
OVAL details Checks usage of unauthenticated in apt.conf passed because these items were not found:Object oval:ssg-obj_unauthenticated_apt_conf:obj:1 of type textfilecontent54_object
Checks usage of unauthenticated in apt.conf.d/* passed because these items were not found:Object oval:ssg-obj_unauthenticated_apt_conf_d:obj:1 of type textfilecontent54_object
|
Set SSH Client Alive Max Count
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive | ||||||||
Result | fail | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: 5.5.6, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8 | ||||||||
Description | To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax 0 | ||||||||
Rationale | This ensures a user login will be terminated as soon as the | ||||||||
OVAL details Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_clientalivecountmax:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_clientalivecountmax:ste:1 of type textfilecontent54_state
| |||||||||
Remediation script: (show)
|
Set SSH Idle Timeout Interval
Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout | ||||||||
Result | fail | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: 5.5.6, 3.1.11, CCI-000879, CCI-001133, CCI-002361, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, NT28(R29) | ||||||||
Description | SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
ClientAliveInterval 300 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config . Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. | ||||||||
Rationale | Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. | ||||||||
OVAL details timeout is configured failed because these items were missing:Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object
State oval:ssg-state_timeout_value_upper_bound:ste:1 of type textfilecontent54_state
| |||||||||
Remediation script: (show)
|
Allow Only SSH Protocol 2
Rule ID | xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 | ||||||
Result | pass | ||||||
Time | 2020-07-31T14:15:19 | ||||||
Severity | high | ||||||
Identifiers and References | References: NT007(R1), 5.2.2, 5.5.6, 3.1.13, 3.5.4, CCI-000197, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-6(a), AC-17(a), AC-17(2), IA-5(1)(c), SC-13, MA-4(6), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.PT-4, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, SRG-OS-000033-VMM-000140, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 8 | ||||||
Description | Only SSH protocol version 2 connections should be
permitted. The default setting in
Protocol 2 | ||||||
Rationale | SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. | ||||||
Warnings | warning
As of openssh-server version 7.4 and above, the only protocol
supported is version 2, and line Protocol 2in /etc/ssh/sshd_config is not necessary. | ||||||
OVAL details sshd uses protocol 2 passed because these items were not found:Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type textfilecontent54_object
|
Disable SSH Access via Empty Passwords
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords | ||||||||||||||
Result | pass | ||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||
Severity | high | ||||||||||||||
Identifiers and References | References: NT007(R17), 5.5.6, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_AFL.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9 | ||||||||||||||
Description | To explicitly disallow SSH login from accounts with
empty passwords, add or correct the following line in PermitEmptyPasswords no Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. | ||||||||||||||
Rationale | Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. | ||||||||||||||
OVAL details tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_disable_empty_passwords:ste:1 of type textfilecontent54_state
tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file passed because these items were not found:Object oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1 of type textfilecontent54_object
|
Disable SSH Root Login
Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login | ||||||||
Result | fail | ||||||||
Time | 2020-07-31T14:15:19 | ||||||||
Severity | medium | ||||||||
Identifiers and References | References: NT28(R19), 5.5.6, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FIA_AFL.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 11, 12, 13, 14, 15, 16, 18, 3, 5 | ||||||||
Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in PermitRootLogin no | ||||||||
Rationale | Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. | ||||||||
OVAL details tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file failed because these items were missing:Object oval:ssg-obj_sshd_disable_root_login:obj:1 of type textfilecontent54_object
State oval:ssg-state_sshd_disable_root_login:ste:1 of type textfilecontent54_state
| |||||||||
Remediation Shell script: (show)
| |||||||||
Remediation Ansible snippet: (show)
| |||||||||
Remediation script: (show)
|
Install the cron service
Rule ID | xccdf_org.ssgproject.content_rule_package_cron_installed | ||||||||||||
Result | pass | ||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||
Severity | medium | ||||||||||||
Identifiers and References | References: NT28(R50), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, PR.IP-1, PR.PT-3 | ||||||||||||
Description | The Cron service should be installed. | ||||||||||||
Rationale | The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. | ||||||||||||
OVAL details package cron is installed passed because of these items:
|
Install the ntp service
Rule ID | xccdf_org.ssgproject.content_rule_package_ntp_installed | ||||||
Result | fail | ||||||
Time | 2020-07-31T14:15:19 | ||||||
Severity | high | ||||||
Identifiers and References | References: NT012(R03), CCI-000160, CM-6(a), PR.PT-1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6, Req-10.4 | ||||||
Description | The ntpd service should be installed. | ||||||
Rationale | Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906. | ||||||
OVAL details package ntp is installed failed because these items were missing:Object oval:ssg-obj_test_package_ntp_installed:obj:1 of type dpkginfo_object
| |||||||
Remediation Ansible snippet: (show)
| |||||||
Remediation Puppet snippet: (show)
|
Enable the NTP Daemon
Rule ID | xccdf_org.ssgproject.content_rule_service_ntp_enabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Result | fail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Time | 2020-07-31T14:15:19 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Severity | high | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Identifiers and References | References: NT012(R03), CCI-000160, CM-6(a), AU-8(1)(a), PR.PT-1, Req-10.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description | The $ sudo systemctl enable ntpd.service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Rationale | Enabling the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OVAL details package ntp is installed failed because these items were missing:Object oval:ssg-obj_test_service_ntp_package_ntp_installed:obj:1 of type dpkginfo_object
Test that the ntp service is running failed because these items were missing:Object oval:ssg-obj_service_running_ntp:obj:1 of type systemdunitproperty_object
State oval:ssg-state_service_running_ntp:ste:1 of type systemdunitproperty_state
systemd test failed because of these items:
systemd test failed because of these items:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Ansible snippet: (show)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation Puppet snippet: (show)
|
Enable systemd_timesyncd Service
Rule ID | xccdf_org.ssgproject.content_rule_service_timesyncd_enabled |
Result | notchecked |
Time | 2020-07-31T14:15:19 |
Severity | high |
Identifiers and References | References: NT012(R03), CCI-000160, CM-6(a), AU-8(1)(a), PR.PT-1, Req-10.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6 |
Description | The $ sudo systemctl enable systemd_timesyncd.service |
Rationale | Enabling the |