Guide to the Secure Configuration of Ubuntu 18.04

with profile Profile for ANSSI DAT-NT28 High (Enforced) Level
This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.
The SCAP Security Guide Project
https://www.open-scap.org/security-policies/scap-security-guide
This guide presents a catalog of security-relevant configuration settings for Ubuntu 18.04. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Target machinetest
Benchmark URL/tmp/tmp.Mh8Q1VxCCG
Benchmark IDxccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC
Profile IDxccdf_org.ssgproject.content_profile_anssi_np_nt28_high
Started at2020-07-31T14:15:19
Finished at2020-07-31T14:15:19
Performed byscheesman

CPE Platforms

  • cpe:/o:canonical:ubuntu_linux:18.04

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.1.201.221
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fd00:2704:0:0:250:56ff:fea5:acb
  • IPv6  fe80:0:0:0:250:56ff:fea5:acb
  • MAC  00:00:00:00:00:00
  • MAC  00:50:56:A5:0A:CB

Compliance and Scoring

The target system did not satisfy the conditions of 16 rules! Furthermore, the results of 4 rules were inconclusive. Please review rule results and consider applying remediation.

Rule results

23 passed
16 failed
6 other

Severity of failed rules

0 other
4 low
10 medium
2 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default49.625000100.000000
49.63%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Ubuntu 18.04 16x fail 4x error 2x notchecked
System Settings 11x fail 4x error 1x notchecked
System Accounting with auditd 1x notchecked
Ensure the audit Subsystem is Installedmedium
notchecked
Enable auditd Servicehigh
pass
Installing and Maintaining Software 5x fail 2x error
Sudo 2x error
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatemedium
error
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDmedium
error
Disk Partitioning 5x fail
Ensure /var/log/audit Located On Separate Partitionlow
fail
Ensure /home Located On Separate Partitionlow
fail
Ensure /var/log Located On Separate Partitionmedium
fail
Ensure /tmp Located On Separate Partitionlow
fail
Ensure /var Located On Separate Partitionlow
fail
GRUB2 bootloader configuration
IOMMU configuration directiveunknown
notapplicable
Configure Syslog 4x fail
Ensure All Logs are Rotated by logrotate 1x fail
Ensure Logrotate Runs Periodicallymedium
fail
Ensure Proper Configuration of Log Files 3x fail
Ensure Log Files Are Owned By Appropriate Groupmedium
fail
Ensure System Log Files Have Correct Permissionsmedium
fail
Ensure Log Files Are Owned By Appropriate Usermedium
fail
File Permissions and Masks 2x fail 2x error
Restrict Programs from Dangerous Execution Patterns 2x fail
Enable ExecShield 1x fail
Enable Randomized Layout of Virtual Address Spacemedium
fail
Disable Core Dumps 1x fail
Disable Core Dumps for SUID programsmedium
fail
Verify Permissions on Important Files and Directories 2x error
Verify Group Who Owns gshadow Filemedium
pass
Verify User Who Owns gshadow Filemedium
pass
Verify Permissions on passwd Filemedium
pass
Verify User Who Owns group Filemedium
pass
Verify User Who Owns shadow Filemedium
pass
Verify User Who Owns passwd Filemedium
pass
Verify Permissions on shadow Filemedium
pass
Verify Permissions on group Filemedium
pass
Verify Group Who Owns shadow Filemedium
pass
Verify Permissions on gshadow Filemedium
pass
Verify Group Who Owns passwd Filemedium
pass
Verify Group Who Owns group Filemedium
pass
Enable Kernel Parameter to Enforce DAC on Symlinksunknown
error
Enable Kernel Parameter to Enforce DAC on Hardlinksunknown
error
Verify that local System.map file (if exists) is readable only by rootunknown
pass
Services 5x fail 1x notchecked
Deprecated services
Uninstall the ntpdate packagelow
pass
Uninstall the ssl compliant telnet serverhigh
pass
Uninstall the inet-based telnet serverhigh
pass
Uninstall the nis packagelow
pass
Uninstall the telnet serverhigh
pass
APT service configuration
Disable unauthenticated repositories in APT configurationunknown
pass
SSH Server 3x fail
Configure OpenSSH Server if Necessary 3x fail
Set SSH Client Alive Max Countmedium
fail
Set SSH Idle Timeout Intervalmedium
fail
Allow Only SSH Protocol 2high
pass
Disable SSH Access via Empty Passwordshigh
pass
Disable SSH Root Loginmedium
fail
Cron and At Daemons
Install the cron servicemedium
pass
Network Time Protocol 2x fail 1x notchecked
Install the ntp servicehigh
fail
Enable the NTP Daemonhigh
fail
Enable systemd_timesyncd Servicehigh
notchecked

Result Details

Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed medium

Ensure the audit Subsystem is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_audit_installed
Result
notchecked
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), NT28(R50), SRG-OS-000480-GPOS-00227, SRG-OS-000122-GPOS-00063

Description

The audit package should be installed.

Rationale

The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.

Evaluation messages
info  
No candidate or applicable check found.
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled high

Enable auditd Service

Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
Result
pass
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  5.4.1.1, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-001464, CCI-001487, CCI-001814, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.1, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000365-GPOS-00152, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9

Description

The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command: 

$ sudo systemctl enable auditd.service

Rationale

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

OVAL details

package auditd is installed  passed because of these items:

NameArchEpochReleaseVersionEvr
auditdamd6411ubuntu12.8.21:2.8.2-1ubuntu1

Test that the auditd service is running  passed because of these items:

UnitPropertyValue
auditd.serviceActiveStateactive

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetproc-sys-fs-binfmt_misc.automountsystemd-random-seed.servicelvm2-monitor.servicedev-hugepages.mountapparmor.servicesystemd-hwdb-update.servicelocal-fs.targetboot.mount-.mountsystemd-remount-fs.servicesystemd-udevd.servicesystemd-journal-flush.servicecryptsetup.targetdev-mqueue.mountsystemd-update-utmp.servicesystemd-ask-password-console.pathplymouth-start.serviceswap.targetswap.img.swapsystemd-tmpfiles-setup.servicekmod-static-nodes.servicelvm2-lvmpolld.socketsystemd-tmpfiles-setup-dev.serviceblk-availability.servicesystemd-machine-id-commit.serviceplymouth-read-write.servicesys-kernel-config.mountopen-iscsi.servicesystemd-sysctl.servicesetvtrgb.servicesystemd-timesyncd.servicesystemd-modules-load.servicelvm2-lvmetad.socketsys-fs-fuse-connections.mountsystemd-binfmt.servicesystemd-udev-trigger.servicesys-kernel-debug.mountkeyboard-setup.servicesystemd-journald.serviceslices.targetsystem.slice-.slicepaths.targetapport-autoreport.pathacpid.pathsockets.targetsystemd-journald-audit.socketsystemd-journald.socketapport-forward.socketdbus.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-initctl.socketsystemd-udevd-kernel.socketuuidd.socketlxd.socketsnapd.socketacpid.socketsystemd-networkd.socketsystemd-udevd-control.socketiscsid.sockettmp.mounttimers.targetapt-daily-upgrade.timersystemd-tmpfiles-clean.timermotd-news.timerapt-daily.timerfstrim.timersnapd.snap-repair.timeropen-vm-tools.serviceatd.serviceirqbalance.serviceauditd.servicesnap-core-9665.mountplymouth-quit-wait.servicessh.serviceunattended-upgrades.servicesnapd.seeded.serviceplymouth-quit.servicethermald.serviceconsole-setup.servicesnapd.autoimport.servicesystemd-update-utmp-runlevel.servicegetty.targetgetty-static.servicegetty@tty1.serviceapport.servicelxd-containers.servicesnap-core-7270.mountgrub-common.serviceufw.servicepollinate.servicecloud-init.targetcloud-config.servicecloud-init.servicecloud-final.servicecloud-init-local.servicelxcfs.servicenetworkd-dispatcher.servicesystemd-networkd.servicesystemd-logind.servicesnapd.servicedbus.servicesystemd-user-sessions.serviceondemand.servicesystemd-ask-password-wall.pathremote-fs.targetrsyslog.servicersync.servicesystemd-resolved.serviceebtables.servicecron.servicesnapd.core-fixup.service

systemd test  passed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetproc-sys-fs-binfmt_misc.automountsystemd-random-seed.servicelvm2-monitor.servicedev-hugepages.mountapparmor.servicesystemd-hwdb-update.servicelocal-fs.targetboot.mount-.mountsystemd-remount-fs.servicesystemd-udevd.servicesystemd-journal-flush.servicecryptsetup.targetdev-mqueue.mountsystemd-update-utmp.servicesystemd-ask-password-console.pathplymouth-start.serviceswap.targetswap.img.swapsystemd-tmpfiles-setup.servicekmod-static-nodes.servicelvm2-lvmpolld.socketsystemd-tmpfiles-setup-dev.serviceblk-availability.servicesystemd-machine-id-commit.serviceplymouth-read-write.servicesys-kernel-config.mountopen-iscsi.servicesystemd-sysctl.servicesetvtrgb.servicesystemd-timesyncd.servicesystemd-modules-load.servicelvm2-lvmetad.socketsys-fs-fuse-connections.mountsystemd-binfmt.servicesystemd-udev-trigger.servicesys-kernel-debug.mountkeyboard-setup.servicesystemd-journald.serviceslices.targetsystem.slice-.slicepaths.targetapport-autoreport.pathacpid.pathsockets.targetsystemd-journald-audit.socketsystemd-journald.socketapport-forward.socketdbus.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-initctl.socketsystemd-udevd-kernel.socketuuidd.socketlxd.socketsnapd.socketacpid.socketsystemd-networkd.socketsystemd-udevd-control.socketiscsid.sockettmp.mounttimers.targetapt-daily-upgrade.timersystemd-tmpfiles-clean.timermotd-news.timerapt-daily.timerfstrim.timersnapd.snap-repair.timeropen-vm-tools.serviceatd.serviceirqbalance.serviceauditd.servicesnap-core-9665.mountplymouth-quit-wait.servicessh.serviceunattended-upgrades.servicesnapd.seeded.serviceplymouth-quit.servicethermald.serviceconsole-setup.servicesnapd.autoimport.servicesystemd-update-utmp-runlevel.servicegetty.targetgetty-static.servicegetty@tty1.serviceapport.servicelxd-containers.servicesnap-core-7270.mountgrub-common.serviceufw.servicepollinate.servicecloud-init.targetcloud-config.servicecloud-init.servicecloud-final.servicecloud-init-local.servicelxcfs.servicenetworkd-dispatcher.servicesystemd-networkd.servicesystemd-logind.servicesnapd.servicedbus.servicesystemd-user-sessions.serviceondemand.servicesystemd-ask-password-wall.pathremote-fs.targetrsyslog.servicersync.servicesystemd-resolved.serviceebtables.servicecron.servicesnapd.core-fixup.service
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticatexccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate medium

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Result
error
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R5), NT28(R59), CCI-002038, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5

Description

The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

OVAL details

!authenticate does not exist in /etc/sudoers  failed because these items were missing:

Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+\!authenticate.*$1

!authenticate does not exist in /etc/sudoers.d  failed because these items were missing:

Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sudoers.d^.*$^(?!#).*[\s]+\!authenticate.*$1
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd medium

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Rule IDxccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Result
error
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R5), NT28(R59), CCI-002038, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SRG-OS-000373-VMM-001470, SRG-OS-000373-VMM-001480, SRG-OS-000373-VMM-001490, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, DSS05.04, DSS05.10, DSS06.03, DSS06.10, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5

Description

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

OVAL details

NOPASSWD does not exist /etc/sudoers  failed because these items were missing:

Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+NOPASSWD[\s]*\:.*$1

NOPASSWD does not exist in /etc/sudoers.d  failed because these items were missing:

Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sudoers.d^.*$^(?!#).*[\s]+NOPASSWD[\s]*\:.*$1
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit low

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
fail
Time2020-07-31T14:15:19
Severitylow
Identifiers and References

References:  1.1.11, CCI-000366, CCI-001849, 164.312(a)(2)(ii), A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8

Description

Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.

Rationale

Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

OVAL details

/var/log/audit on own partition  failed because these items were missing:

Object oval:ssg-object_mount_var_log_audit_own_partition:obj:1 of type partition_object
Mount point
/var/log/audit
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home low

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
fail
Time2020-07-31T14:15:19
Severitylow
Identifiers and References

References:  NT28(R12), 1.1.12, CCI-000366, CCI-001208, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8

Description

If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.

Rationale

Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.

OVAL details

/home on own partition  failed because these items were missing:

Object oval:ssg-object_mount_home_own_partition:obj:1 of type partition_object
Mount point
/home
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log medium

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R12), NT28(R47), 1.1.10, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, 1, 12, 14, 15, 16, 3, 5, 6, 8, SRG-OS-000480-GPOS-00227

Description

System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Placing /var/log in its own partition enables better separation between log files and other files in /var/.

OVAL details

/var/log on own partition  failed because these items were missing:

Object oval:ssg-object_mount_var_log_own_partition:obj:1 of type partition_object
Mount point
/var/log
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp low

Ensure /tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_tmp
Result
fail
Time2020-07-31T14:15:19
Severitylow
Identifiers and References

References:  NT28(R12), 1.1.2, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8

Description

The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

OVAL details

/tmp on own partition  failed because these items were missing:

Object oval:ssg-object_mount_tmp_own_partition:obj:1 of type partition_object
Mount point
/tmp
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var low

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
fail
Time2020-07-31T14:15:19
Severitylow
Identifiers and References

References:  NT28(R12), 1.1.5, CCI-000366, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, APO13.01, DSS05.02, A.13.1.1, A.13.2.1, A.14.1.3, 12, 15, 8

Description

The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.

Rationale

Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.

OVAL details

/var on own partition  failed because these items were missing:

Object oval:ssg-object_mount_var_own_partition:obj:1 of type partition_object
Mount point
/var
IOMMU configuration directivexccdf_org.ssgproject.content_rule_grub2_enable_iommu_force unknown

IOMMU configuration directive

Rule IDxccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
Result
notapplicable
Time2020-07-31T14:15:19
Severityunknown
Identifiers and References

References:  NT28(R11)

Description

On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory.

Rationale

On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices.

Ensure Logrotate Runs Periodicallyxccdf_org.ssgproject.content_rule_ensure_logrotate_activated medium

Ensure Logrotate Runs Periodically

Rule IDxccdf_org.ssgproject.content_rule_ensure_logrotate_activated
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  CCI-000366, CM-6(a), PR.PT-1, Req-10.7, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6, NT28(R43), NT12(R18)

Description

The logrotate utility allows for the automatic rotation of log files. The frequency of rotation is specified in /etc/logrotate.conf, which triggers a cron task. To configure logrotate to run daily, add or correct the following line in /etc/logrotate.conf: 

# rotate log files frequency
daily

Rationale

Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.

OVAL details

Tests the presence of daily setting in /etc/logrotate.conf file  failed because these items were missing:

Object oval:ssg-object_logrotate_conf_daily_setting:obj:1 of type textfilecontent54_object
BehaviorsFilepathPatternInstanceFilter
no value/etc/logrotate.conf(?:daily)*.*(?=[\n][\s]*daily)(.*)$1oval:ssg-state_another_rotate_interval_after_daily:ste:1

Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)  failed because of these items:

PathContent
/etc/cron.daily/logrotate/usr/sbin/logrotate /etc/logrotate.conf
Remediation Shell script:   (show)


LOGROTATE_CONF_FILE="/etc/logrotate.conf"
CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"

# daily rotation is configured
grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE

# remove any line configuring weekly, monthly or yearly rotation
sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE

# configure cron.daily if not already
if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
	echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
	echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
fi
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:configure
- name: Configure daily log rotation in /etc/logrotate.conf
  lineinfile:
    create: true
    dest: /etc/logrotate.conf
    regexp: ^daily$
    line: daily
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.7
    - configure_strategy
    - ensure_logrotate_activated
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf
  lineinfile:
    create: false
    dest: /etc/logrotate.conf
    regexp: ^(weekly|monthly|yearly)$
    state: absent
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.7
    - configure_strategy
    - ensure_logrotate_activated
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed

- name: Configure cron.daily if not already
  block:

    - name: Add shebang
      lineinfile:
        path: /etc/cron.daily/logrotate
        line: '#!/bin/sh'
        insertbefore: BOF
        create: true

    - name: Add logrotate call
      lineinfile:
        path: /etc/cron.daily/logrotate
        line: /usr/sbin/logrotate /etc/logrotate.conf
        regexp: ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.7
    - configure_strategy
    - ensure_logrotate_activated
    - low_complexity
    - low_disruption
    - medium_severity
    - no_reboot_needed
Ensure Log Files Are Owned By Appropriate Groupxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership medium

Ensure Log Files Are Owned By Appropriate Group

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), CCI-001314, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

The group-owner of all log files written by rsyslog should be adm. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 

$ ls -l LOGFILE
If the owner is not adm, run the following command to correct this: 
$ sudo chgrp adm LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

OVAL details

System log files are owned by root group  failed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/log/syslogregular1024617287rw-r----- 
/var/log/auth.logregular102417362rw-r----- 
/var/log/cloud-init.logregular1024236141rw-r--r-- 
/var/log/kern.logregular1024495960rw-r----- 
Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions medium

Ensure System Log Files Have Correct Permissions

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R36), CCI-001314, CM-6(a), AC-6(1), Req-10.5.1, Req-10.5.2

Description

The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions: 

$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this: 
$ sudo chmod 0600 LOGFILE
"

Rationale

Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.

OVAL details

Permissions of system log files are correct  failed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/log/syslogregular1024617287rw-r----- 
/var/log/auth.logregular102417362rw-r----- 
/var/log/cloud-init.logregular1024236141rw-r--r-- 
/var/log/kern.logregular1024495960rw-r----- 
Ensure Log Files Are Owned By Appropriate Userxccdf_org.ssgproject.content_rule_rsyslog_files_ownership medium

Ensure Log Files Are Owned By Appropriate User

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R46), NT28(R5), CCI-001314, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-10.5.1, Req-10.5.2, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

The owner of all log files written by rsyslog should be adm. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 

$ ls -l LOGFILE
If the owner is not adm, run the following command to correct this: 
$ sudo chown adm LOGFILE

Rationale

The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.

OVAL details

System log files are owned by root  failed because of these items:

PathTypeUIDGIDSize (B)Permissions
/var/log/syslogregular1024617287rw-r----- 
/var/log/auth.logregular102417362rw-r----- 
/var/log/cloud-init.logregular1024236141rw-r--r-- 
/var/log/kern.logregular1024495960rw-r----- 
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space medium

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, NT28(R23)

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: 

$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure sysctl kernel.randomize_va_space is set to 2
  sysctl:
    name: kernel.randomize_va_space
    value: '2'
    state: present
    reload: true
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-171-3.1.7
    - NIST-800-53-CM-6(a)
    - NIST-800-53-SC-30
    - NIST-800-53-SC-30(2)
    - disable_strategy
    - low_complexity
    - medium_disruption
    - medium_severity
    - reboot_required
    - sysctl_kernel_randomize_va_space
Disable Core Dumps for SUID programsxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable medium

Disable Core Dumps for SUID programs

Rule IDxccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), NT28(R23)

Description

To set the runtime status of the fs.suid_dumpable kernel parameter, run the following command: 

$ sudo sysctl -w fs.suid_dumpable=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: 
fs.suid_dumpable = 0

Rationale

The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.

Remediation Ansible snippet:   (show)

Complexity:low
Disruption:medium
Reboot:true
Strategy:disable
- name: Ensure sysctl fs.suid_dumpable is set to 0
  sysctl:
    name: fs.suid_dumpable
    value: '0'
    state: present
    reload: true
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-53-SI-11(a)
    - NIST-800-53-SI-11(b)
    - disable_strategy
    - low_complexity
    - medium_disruption
    - medium_severity
    - reboot_required
    - sysctl_fs_suid_dumpable
Verify Group Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow medium

Verify Group Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the group owner of /etc/gshadow, run the command: 

$ sudo chgrp shadow /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/gshadow  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/gshadowregular042609rw-r----- 
Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow medium

Verify User Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5, NT28(R36)

Description

To properly set the owner of /etc/gshadow, run the command: 

$ sudo chown root /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing user ownership of /etc/gshadow  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/gshadowregular042609rw-r----- 
Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd medium

Verify Permissions on passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the permissions of /etc/passwd, run the command: 

$ sudo chmod 0644 /etc/passwd

Rationale

If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.

OVAL details

Testing mode of /etc/passwd  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/passwdregular001574rw-r--r-- 
Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group medium

Verify User Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_group
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the owner of /etc/group, run the command: 

$ sudo chown root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing user ownership of /etc/group  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/groupregular00721rw-r--r-- 
Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow medium

Verify User Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_shadow
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5, NT28(R36)

Description

To properly set the owner of /etc/shadow, run the command: 

$ sudo chown root /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL details

Testing user ownership of /etc/shadow  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/shadowregular042940rw-r----- 
Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd medium

Verify User Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the owner of /etc/passwd, run the command: 

$ sudo chown root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing user ownership of /etc/passwd  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/passwdregular001574rw-r--r-- 
Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow medium

Verify Permissions on shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R36), 5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the permissions of /etc/shadow, run the command: 

$ sudo chmod 0640 /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

OVAL details

Testing mode of /etc/shadow  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/shadowregular042940rw-r----- 
Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group medium

Verify Permissions on group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the permissions of /etc/passwd, run the command: 

$ sudo chmod 0644 /etc/passwd

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing mode of /etc/group  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/groupregular00721rw-r--r-- 
Verify Group Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow medium

Verify Group Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the group owner of /etc/shadow, run the command: 

$ sudo chgrp shadow /etc/shadow

Rationale

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/shadow  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/shadowregular042940rw-r----- 
Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow medium

Verify Permissions on gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R36), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the permissions of /etc/gshadow, run the command: 

$ sudo chmod 0640 /etc/gshadow

Rationale

The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.

OVAL details

Testing mode of /etc/gshadow  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/gshadowregular042609rw-r----- 
Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd medium

Verify Group Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the group owner of /etc/passwd, run the command: 

$ sudo chgrp root /etc/passwd

Rationale

The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.

OVAL details

Testing group ownership of /etc/passwd  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/passwdregular001574rw-r--r-- 
Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group medium

Verify Group Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.2.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SR 2.1, SR 5.2, 4.3.3.7.3, APO01.06, DSS05.04, DSS05.07, DSS06.02, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 12, 13, 14, 15, 16, 18, 3, 5

Description

To properly set the group owner of /etc/group, run the command: 

$ sudo chgrp root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

OVAL details

Testing group ownership of /etc/group  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/etc/groupregular00721rw-r--r-- 
Verify that local System.map file (if exists) is readable only by rootxccdf_org.ssgproject.content_rule_file_permissions_systemmap unknown

Verify that local System.map file (if exists) is readable only by root

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_systemmap
Result
pass
Time2020-07-31T14:15:19
Severityunknown
Identifiers and References

References:  NT28(R13)

Description

Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user To properly set the permissions of /boot/System.map-*, run the command: 

$ sudo chmod 0600 /boot/System.map-*

Rationale

The System.map file contains information about kernel symbols and can give some hints to generate local exploitation.

OVAL details

system.map files readable only by root  passed because of these items:

PathTypeUIDGIDSize (B)Permissions
/boot/System.map-4.15.0-55-genericregular004051807rw------- 
Uninstall the ntpdate packagexccdf_org.ssgproject.content_rule_package_ntpdate_removed low

Uninstall the ntpdate package

Rule IDxccdf_org.ssgproject.content_rule_package_ntpdate_removed
Result
pass
Time2020-07-31T14:15:19
Severitylow
Identifiers and References
Description

ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.

Rationale

ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.

OVAL details

package ntpdate is removed  passed because these items were not found:

Object oval:ssg-obj_test_package_ntpdate_removed:obj:1 of type dpkginfo_object
Name
ntpdate
Uninstall the ssl compliant telnet serverxccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed high

Uninstall the ssl compliant telnet server

Rule IDxccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed
Result
pass
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT007(R02), CM-7(a), CM-7(b), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4

Description

The telnet daemon, even with ssl support, should be uninstalled.

Rationale

telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used.

OVAL details

package telnetd-ssl is removed  passed because these items were not found:

Object oval:ssg-obj_test_package_telnetd-ssl_removed:obj:1 of type dpkginfo_object
Name
telnetd-ssl
Uninstall the inet-based telnet serverxccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed high

Uninstall the inet-based telnet server

Rule IDxccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed
Result
pass
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT007(R03), CM-7(a), CM-7(b), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4

Description

The inet-based telnet daemon should be uninstalled.

Rationale

telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.

OVAL details

package inetutils-telnetd is removed  passed because these items were not found:

Object oval:ssg-obj_test_package_inetutils-telnetd_removed:obj:1 of type dpkginfo_object
Name
inetutils-telnetd
Uninstall the nis packagexccdf_org.ssgproject.content_rule_package_nis_removed low

Uninstall the nis package

Rule IDxccdf_org.ssgproject.content_rule_package_nis_removed
Result
pass
Time2020-07-31T14:15:19
Severitylow
Identifiers and References
Description

The support for Yellowpages should not be installed unless it is required.

Rationale

NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used.

OVAL details

package nis is removed  passed because these items were not found:

Object oval:ssg-obj_test_package_nis_removed:obj:1 of type dpkginfo_object
Name
nis
Uninstall the telnet serverxccdf_org.ssgproject.content_rule_package_telnetd_removed high

Uninstall the telnet server

Rule IDxccdf_org.ssgproject.content_rule_package_telnetd_removed
Result
pass
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT28(R1), CM-7(a), CM-7(b), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, 11, 12, 14, 15, 3, 8, 9, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4

Description

The telnet daemon should be uninstalled.

Rationale

telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.'

OVAL details

package telnetd is removed  passed because these items were not found:

Object oval:ssg-obj_test_package_telnetd_removed:obj:1 of type dpkginfo_object
Name
telnetd
Disable unauthenticated repositories in APT configurationxccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated unknown

Disable unauthenticated repositories in APT configuration

Rule IDxccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated
Result
pass
Time2020-07-31T14:15:19
Severityunknown
Identifiers and References

References:  NT28(R15)

Description

Unauthenticated repositories should not be used for updates.

Rationale

Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy.

OVAL details

Checks usage of unauthenticated in apt.conf  passed because these items were not found:

Object oval:ssg-obj_unauthenticated_apt_conf:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/apt/apt/apt.conf^[\s]*APT::Get::AllowUnauthenticated(=|[\s]+)(yes|true|True);.*$1

Checks usage of unauthenticated in apt.conf.d/*  passed because these items were not found:

Object oval:ssg-obj_unauthenticated_apt_conf_d:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/apt/apt.conf.d/.*$^[\s]*APT::Get::AllowUnauthenticated(=|[\s]+)(yes|true|True);.*$1
Set SSH Client Alive Max Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive medium

Set SSH Client Alive Max Count

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.6, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8

Description

To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, edit /etc/ssh/sshd_config as follows: 

ClientAliveCountMax 0

Rationale

This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.

OVAL details

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file  failed because these items were missing:

Object oval:ssg-obj_sshd_clientalivecountmax:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$1
State oval:ssg-state_sshd_clientalivecountmax:ste:1 of type textfilecontent54_state
Subexpression
0
Remediation script:   (show)

Complexity:low
Disruption:low
Strategy:restrict
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config
Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout medium

Set SSH Idle Timeout Interval

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result
fail
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  5.5.6, 3.1.11, CCI-000879, CCI-001133, CCI-002361, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, NT28(R29)

Description

SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 

ClientAliveInterval 300


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.

Rationale

Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.

OVAL details

timeout is configured  failed because these items were missing:

Object oval:ssg-object_sshd_idle_timeout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$1
State oval:ssg-state_timeout_value_upper_bound:ste:1 of type textfilecontent54_state
Subexpression
300
Remediation script:   (show)

Complexity:low
Disruption:low
Strategy:restrict
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:,%0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
        filesystem: root
        mode: 0600
        path: /etc/ssh/sshd_config
Allow Only SSH Protocol 2xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2 high

Allow Only SSH Protocol 2

Rule IDxccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
Result
pass
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT007(R1), 5.2.2, 5.5.6, 3.1.13, 3.5.4, CCI-000197, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), CM-6(a), AC-17(a), AC-17(2), IA-5(1)(c), SC-13, MA-4(6), PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, PR.PT-4, SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227, SRG-OS-000033-VMM-000140, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, APO13.01, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, 1, 12, 15, 16, 5, 8

Description

Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: 

Protocol 2

Rationale

SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.

Warnings
warning  As of openssh-server version 7.4 and above, the only protocol supported is version 2, and line 
Protocol 2
in /etc/ssh/sshd_config is not necessary.
OVAL details

sshd uses protocol 2  passed because these items were not found:

Object oval:ssg-object_sshd_allow_only_protocol2:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$1
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords high

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
pass
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT007(R17), 5.5.6, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_AFL.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, 11, 12, 13, 14, 15, 16, 18, 3, 5, 9

Description

To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: 

PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.

Rationale

Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.

OVAL details

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file  passed because these items were not found:

Object oval:ssg-obj_sshd_disable_empty_passwords:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)1
State oval:ssg-state_sshd_disable_empty_passwords:ste:1 of type textfilecontent54_state
Subexpression
^no$

tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file  passed because these items were not found:

Object oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/ssh/sshd_config^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+1
Install the cron servicexccdf_org.ssgproject.content_rule_package_cron_installed medium

Install the cron service

Rule IDxccdf_org.ssgproject.content_rule_package_cron_installed
Result
pass
Time2020-07-31T14:15:19
Severitymedium
Identifiers and References

References:  NT28(R50), CM-6(a), SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, 11, 14, 3, 9, PR.IP-1, PR.PT-3

Description

The Cron service should be installed.

Rationale

The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.

OVAL details

package cron is installed  passed because of these items:

NameArchEpochReleaseVersionEvr
cronamd640128.1ubuntu13.0pl10:3.0pl1-128.1ubuntu1
Install the ntp servicexccdf_org.ssgproject.content_rule_package_ntp_installed high

Install the ntp service

Rule IDxccdf_org.ssgproject.content_rule_package_ntp_installed
Result
fail
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT012(R03), CCI-000160, CM-6(a), PR.PT-1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6, Req-10.4

Description

The ntpd service should be installed.

Rationale

Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.

OVAL details

package ntp is installed  failed because these items were missing:

Object oval:ssg-obj_test_package_ntp_installed:obj:1 of type dpkginfo_object
Name
ntp
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure ntp is installed
  package:
    name: ntp
    state: present
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4
    - enable_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - package_ntp_installed
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
include install_ntp

class install_ntp {
  package { 'ntp':
    ensure => 'installed',
  }
}
Enable the NTP Daemonxccdf_org.ssgproject.content_rule_service_ntp_enabled high

Enable the NTP Daemon

Rule IDxccdf_org.ssgproject.content_rule_service_ntp_enabled
Result
fail
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT012(R03), CCI-000160, CM-6(a), AU-8(1)(a), PR.PT-1, Req-10.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6

Description

The ntpd service can be enabled with the following command: 

$ sudo systemctl enable ntpd.service

Rationale

Enabling the ntpd service ensures that the ntpd service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The NTP daemon offers all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate.

OVAL details

package ntp is installed  failed because these items were missing:

Object oval:ssg-obj_test_service_ntp_package_ntp_installed:obj:1 of type dpkginfo_object
Name
ntp

Test that the ntp service is running  failed because these items were missing:

Object oval:ssg-obj_service_running_ntp:obj:1 of type systemdunitproperty_object
UnitProperty
^ntp\.(socket|service)$ActiveState
State oval:ssg-state_service_running_ntp:ste:1 of type systemdunitproperty_state
Value
active

systemd test  failed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetproc-sys-fs-binfmt_misc.automountsystemd-random-seed.servicelvm2-monitor.servicedev-hugepages.mountapparmor.servicesystemd-hwdb-update.servicelocal-fs.targetboot.mount-.mountsystemd-remount-fs.servicesystemd-udevd.servicesystemd-journal-flush.servicecryptsetup.targetdev-mqueue.mountsystemd-update-utmp.servicesystemd-ask-password-console.pathplymouth-start.serviceswap.targetswap.img.swapsystemd-tmpfiles-setup.servicekmod-static-nodes.servicelvm2-lvmpolld.socketsystemd-tmpfiles-setup-dev.serviceblk-availability.servicesystemd-machine-id-commit.serviceplymouth-read-write.servicesys-kernel-config.mountopen-iscsi.servicesystemd-sysctl.servicesetvtrgb.servicesystemd-timesyncd.servicesystemd-modules-load.servicelvm2-lvmetad.socketsys-fs-fuse-connections.mountsystemd-binfmt.servicesystemd-udev-trigger.servicesys-kernel-debug.mountkeyboard-setup.servicesystemd-journald.serviceslices.targetsystem.slice-.slicepaths.targetapport-autoreport.pathacpid.pathsockets.targetsystemd-journald-audit.socketsystemd-journald.socketapport-forward.socketdbus.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-initctl.socketsystemd-udevd-kernel.socketuuidd.socketlxd.socketsnapd.socketacpid.socketsystemd-networkd.socketsystemd-udevd-control.socketiscsid.sockettmp.mounttimers.targetapt-daily-upgrade.timersystemd-tmpfiles-clean.timermotd-news.timerapt-daily.timerfstrim.timersnapd.snap-repair.timeropen-vm-tools.serviceatd.serviceirqbalance.serviceauditd.servicesnap-core-9665.mountplymouth-quit-wait.servicessh.serviceunattended-upgrades.servicesnapd.seeded.serviceplymouth-quit.servicethermald.serviceconsole-setup.servicesnapd.autoimport.servicesystemd-update-utmp-runlevel.servicegetty.targetgetty-static.servicegetty@tty1.serviceapport.servicelxd-containers.servicesnap-core-7270.mountgrub-common.serviceufw.servicepollinate.servicecloud-init.targetcloud-config.servicecloud-init.servicecloud-final.servicecloud-init-local.servicelxcfs.servicenetworkd-dispatcher.servicesystemd-networkd.servicesystemd-logind.servicesnapd.servicedbus.servicesystemd-user-sessions.serviceondemand.servicesystemd-ask-password-wall.pathremote-fs.targetrsyslog.servicersync.servicesystemd-resolved.serviceebtables.servicecron.servicesnapd.core-fixup.service

systemd test  failed because of these items:

UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.target-.mountsysinit.targetproc-sys-fs-binfmt_misc.automountsystemd-random-seed.servicelvm2-monitor.servicedev-hugepages.mountapparmor.servicesystemd-hwdb-update.servicelocal-fs.targetboot.mount-.mountsystemd-remount-fs.servicesystemd-udevd.servicesystemd-journal-flush.servicecryptsetup.targetdev-mqueue.mountsystemd-update-utmp.servicesystemd-ask-password-console.pathplymouth-start.serviceswap.targetswap.img.swapsystemd-tmpfiles-setup.servicekmod-static-nodes.servicelvm2-lvmpolld.socketsystemd-tmpfiles-setup-dev.serviceblk-availability.servicesystemd-machine-id-commit.serviceplymouth-read-write.servicesys-kernel-config.mountopen-iscsi.servicesystemd-sysctl.servicesetvtrgb.servicesystemd-timesyncd.servicesystemd-modules-load.servicelvm2-lvmetad.socketsys-fs-fuse-connections.mountsystemd-binfmt.servicesystemd-udev-trigger.servicesys-kernel-debug.mountkeyboard-setup.servicesystemd-journald.serviceslices.targetsystem.slice-.slicepaths.targetapport-autoreport.pathacpid.pathsockets.targetsystemd-journald-audit.socketsystemd-journald.socketapport-forward.socketdbus.socketsystemd-journald-dev-log.socketdm-event.socketsystemd-initctl.socketsystemd-udevd-kernel.socketuuidd.socketlxd.socketsnapd.socketacpid.socketsystemd-networkd.socketsystemd-udevd-control.socketiscsid.sockettmp.mounttimers.targetapt-daily-upgrade.timersystemd-tmpfiles-clean.timermotd-news.timerapt-daily.timerfstrim.timersnapd.snap-repair.timeropen-vm-tools.serviceatd.serviceirqbalance.serviceauditd.servicesnap-core-9665.mountplymouth-quit-wait.servicessh.serviceunattended-upgrades.servicesnapd.seeded.serviceplymouth-quit.servicethermald.serviceconsole-setup.servicesnapd.autoimport.servicesystemd-update-utmp-runlevel.servicegetty.targetgetty-static.servicegetty@tty1.serviceapport.servicelxd-containers.servicesnap-core-7270.mountgrub-common.serviceufw.servicepollinate.servicecloud-init.targetcloud-config.servicecloud-init.servicecloud-final.servicecloud-init-local.servicelxcfs.servicenetworkd-dispatcher.servicesystemd-networkd.servicesystemd-logind.servicesnapd.servicedbus.servicesystemd-user-sessions.serviceondemand.servicesystemd-ask-password-wall.pathremote-fs.targetrsyslog.servicersync.servicesystemd-resolved.serviceebtables.servicecron.servicesnapd.core-fixup.service
Remediation Ansible snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
- name: Enable service ntp
  block:

    - name: Gather the package facts
      package_facts:
        manager: auto

    - name: Enable service ntp
      service:
        name: ntp
        enabled: 'yes'
        state: started
      when:
        - '"ntp" in ansible_facts.packages'
  when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
  tags:
    - NIST-800-53-AU-8(1)(a)
    - NIST-800-53-CM-6(a)
    - PCI-DSS-Req-10.4
    - enable_strategy
    - high_severity
    - low_complexity
    - low_disruption
    - no_reboot_needed
    - service_ntp_enabled
Remediation Puppet snippet:   (show)

Complexity:low
Disruption:low
Strategy:enable
include enable_ntp

class enable_ntp {
  service {'ntp':
    enable => true,
    ensure => 'running',
  }
}
Enable systemd_timesyncd Servicexccdf_org.ssgproject.content_rule_service_timesyncd_enabled high

Enable systemd_timesyncd Service

Rule IDxccdf_org.ssgproject.content_rule_service_timesyncd_enabled
Result
notchecked
Time2020-07-31T14:15:19
Severityhigh
Identifiers and References

References:  NT012(R03), CCI-000160, CM-6(a), AU-8(1)(a), PR.PT-1, Req-10.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, 1, 14, 15, 16, 3, 5, 6

Description

The systemd_timesyncd service can be enabled with the following command: 

$ sudo systemctl enable systemd_timesyncd.service

Rationale

Enabling the systemd_timesyncd service ensures that this host uses the ntp protocol to fetch time data from a ntp server. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

Additional information on Ubuntu network time protocol is available at https://help.ubuntu.com/lts/serverguide/NTP.html.en.

Evaluation messages
info  
No candidate or applicable check found.
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.