build_shorthand.py from SCAP Security Guide ssg: 0.1.79 2.0 2025-11-18T22:33:24 Set Account Expiration Following Inactivity ocil:ssg-account_disable_post_pw_expiration_action:testaction:1 Assign Expiration Date to Temporary Accounts ocil:ssg-account_temp_expire_date_action:testaction:1 Ensure All Accounts on the System Have Unique User IDs ocil:ssg-account_unique_id_action:testaction:1 Ensure All Accounts on the System Have Unique Names ocil:ssg-account_unique_name_action:testaction:1 Limit the Number of Concurrent Login Sessions Allowed Per User ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1 Set Password Maximum Age ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1 Set Password Minimum Age ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1 Verify Only Root Has UID 0 ocil:ssg-accounts_no_uid_except_zero_action:testaction:1 Verify All Account Password Hashes are Shadowed ocil:ssg-accounts_password_all_shadowed_action:testaction:1 Ensure all users last password change date is in the past ocil:ssg-accounts_password_last_change_is_in_past_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Digit Characters ocil:ssg-accounts_password_pam_dcredit_action:testaction:1 Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words ocil:ssg-accounts_password_pam_dictcheck_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Different Characters ocil:ssg-accounts_password_pam_difok_action:testaction:1 Ensure PAM Enforces Password Requirements - Enforce for root User ocil:ssg-accounts_password_pam_enforce_root_action:testaction:1 Ensure PAM Enforces Password Requirements - Enforcing ocil:ssg-accounts_password_pam_enforcing_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters ocil:ssg-accounts_password_pam_lcredit_action:testaction:1 Set Password Maximum Consecutive Repeating Characters ocil:ssg-accounts_password_pam_maxrepeat_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Different Categories ocil:ssg-accounts_password_pam_minclass_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Length ocil:ssg-accounts_password_pam_minlen_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Special Characters ocil:ssg-accounts_password_pam_ocredit_action:testaction:1 Limit Password Reuse ocil:ssg-accounts_password_pam_pwhistory_remember_action:testaction:1 Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session ocil:ssg-accounts_password_pam_retry_action:testaction:1 Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters ocil:ssg-accounts_password_pam_ucredit_action:testaction:1 Require use_authtok for pam_unix.so ocil:ssg-accounts_password_pam_unix_authtok_action:testaction:1 Set Existing Passwords Maximum Age ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1 Set Existing Passwords Minimum Age ocil:ssg-accounts_password_set_min_life_existing_action:testaction:1 Set Password Warning Age ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1 Enforce Delay After Failed Logon Attempts ocil:ssg-accounts_passwords_pam_faildelay_delay_action:testaction:1 Account Lockouts Must Be Logged ocil:ssg-accounts_passwords_pam_faillock_audit_action:testaction:1 Lock Accounts After Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_deny_action:testaction:1 Set Interval For Counting Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_interval_action:testaction:1 Do Not Show System Messages When Unsuccessful Logon Attempts Occur ocil:ssg-accounts_passwords_pam_faillock_silent_action:testaction:1 Set Lockout Time for Failed Password Attempts ocil:ssg-accounts_passwords_pam_faillock_unlock_time_action:testaction:1 Verify Root Has A Primary GID 0 ocil:ssg-accounts_root_gid_zero_action:testaction:1 Ensure that Root's Path Does Not Include World or Group-Writable Directories ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1 Set existing passwords a period of inactivity before they been locked ocil:ssg-accounts_set_post_pw_existing_action:testaction:1 Set Interactive Session Timeout ocil:ssg-accounts_tmout_action:testaction:1 Ensure the Default Bash Umask is Set Correctly ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1 Ensure the Default Umask is Set Correctly in login.defs ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1 Ensure the Default Umask is Set Correctly in /etc/profile ocil:ssg-accounts_umask_etc_profile_action:testaction:1 User Initialization Files Must Be Group-Owned By The Primary Group ocil:ssg-accounts_user_dot_group_ownership_action:testaction:1 User Initialization Files Must Be Owned By the Primary User ocil:ssg-accounts_user_dot_user_ownership_action:testaction:1 All Interactive Users Home Directories Must Exist ocil:ssg-accounts_user_interactive_home_directory_exists_action:testaction:1 Build and Test AIDE Database ocil:ssg-aide_build_database_action:testaction:1 Configure AIDE to Verify the Audit Tools ocil:ssg-aide_check_audit_tools_action:testaction:1 Configure AIDE To Notify Personnel if Baseline Configurations Are Altered ocil:ssg-aide_disable_silentreports_action:testaction:1 Configure Periodic Execution of AIDE ocil:ssg-aide_periodic_cron_checking_action:testaction:1 Ensure AppArmor is Active and Configured ocil:ssg-apparmor_configured_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chmod ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - chown ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmod ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchmodat ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchown ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fchownat ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fremovexattr ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - fsetxattr ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lchown ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lremovexattr ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - lsetxattr ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - removexattr ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1 Record Events that Modify the System's Discretionary Access Controls - setxattr ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1 Record Any Attempts to Run chacl ocil:ssg-audit_rules_execution_chacl_action:testaction:1 Record Any Attempts to Run chcon ocil:ssg-audit_rules_execution_chcon_action:testaction:1 Record Any Attempts to Run setfacl ocil:ssg-audit_rules_execution_setfacl_action:testaction:1 Ensure auditd Collects File Deletion Events by User - rename ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1 Ensure auditd Collects File Deletion Events by User - renameat ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1 Ensure auditd Collects File Deletion Events by User - rmdir ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1 Ensure auditd Collects File Deletion Events by User - unlink ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1 Ensure auditd Collects File Deletion Events by User - unlinkat ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1 Make the auditd Configuration Immutable ocil:ssg-audit_rules_immutable_action:testaction:1 Ensure auditd Collects Information on Kernel Module Unloading - delete_module ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1 Ensure auditd Collects Information on Kernel Module Loading - init_module ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1 Record Attempts to Alter Logon and Logout Events - faillock ocil:ssg-audit_rules_login_events_faillock_action:testaction:1 Record Attempts to Alter Logon and Logout Events - faillog ocil:ssg-audit_rules_login_events_faillog_action:testaction:1 Record Attempts to Alter Logon and Logout Events - lastlog ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1 Record Events that Modify the System's Mandatory Access Controls (/etc/apparmor) ocil:ssg-audit_rules_mac_modification_etc_apparmor_action:testaction:1 Record Events that Modify the System's Mandatory Access Controls (/etc/apparmor.d) ocil:ssg-audit_rules_mac_modification_etc_apparmor_d_action:testaction:1 Ensure auditd Collects Information on Exporting to Media (successful) ocil:ssg-audit_rules_media_export_action:testaction:1 Record Events that Modify the System's Network Environment ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands ocil:ssg-audit_rules_privileged_commands_action:testaction:1 Record Any Attempts to Run apparmor_parser ocil:ssg-audit_rules_privileged_commands_apparmor_parser_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chage ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chfn ocil:ssg-audit_rules_privileged_commands_chfn_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - chsh ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - crontab ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - fdisk ocil:ssg-audit_rules_privileged_commands_fdisk_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - kmod ocil:ssg-audit_rules_privileged_commands_kmod_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - modprobe ocil:ssg-audit_rules_privileged_commands_modprobe_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - mount ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - newgrp ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - passwd ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1 Record Any Attempts to Run ssh-agent ocil:ssg-audit_rules_privileged_commands_ssh_agent_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - su ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudo ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - umount ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - unix_update ocil:ssg-audit_rules_privileged_commands_unix_update_action:testaction:1 Ensure auditd Collects Information on the Use of Privileged Commands - usermod ocil:ssg-audit_rules_privileged_commands_usermod_action:testaction:1 Record Attempts to Alter Process and Session Initiation Information btmp ocil:ssg-audit_rules_session_events_btmp_action:testaction:1 Record Attempts to Alter Process and Session Initiation Information utmp ocil:ssg-audit_rules_session_events_utmp_action:testaction:1 Record Attempts to Alter Process and Session Initiation Information wtmp ocil:ssg-audit_rules_session_events_wtmp_action:testaction:1 Ensure auditd Collects System Administrator Actions - /etc/sudoers ocil:ssg-audit_rules_sudoers_action:testaction:1 Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ ocil:ssg-audit_rules_sudoers_d_action:testaction:1 Record Events When Executables Are Run As Another User ocil:ssg-audit_rules_suid_auid_privilege_function_action:testaction:1 Record Events When Privileged Executables Are Run ocil:ssg-audit_rules_suid_privilege_function_action:testaction:1 Ensure auditd Collects System Administrator Actions ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1 Record attempts to alter time through adjtimex ocil:ssg-audit_rules_time_adjtimex_action:testaction:1 Record Attempts to Alter Time Through clock_settime ocil:ssg-audit_rules_time_clock_settime_action:testaction:1 Record attempts to alter time through settimeofday ocil:ssg-audit_rules_time_settimeofday_action:testaction:1 Record Attempts to Alter the localtime File ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1 Record Unsuccessful Access Attempts to Files - creat ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1 Record Unsuccessful Access Attempts to Files - ftruncate ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1 Record Unsuccessful Access Attempts to Files - open ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1 Record Unsuccessful Access Attempts to Files - open_by_handle_at ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1 Record Unsuccessful Access Attempts to Files - openat ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1 Record Unsuccessful Access Attempts to Files - truncate ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1 Record Events that Modify User/Group Information - /etc/group ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1 Record Events that Modify User/Group Information - /etc/gshadow ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1 Record Events that Modify User/Group Information - /etc/nsswitch.conf ocil:ssg-audit_rules_usergroup_modification_nsswitch_conf_action:testaction:1 Record Events that Modify User/Group Information - /etc/security/opasswd ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1 Record Events that Modify User/Group Information - /etc/pam.conf ocil:ssg-audit_rules_usergroup_modification_pam_conf_action:testaction:1 Record Events that Modify User/Group Information - /etc/pam.d/ ocil:ssg-audit_rules_usergroup_modification_pamd_action:testaction:1 Record Events that Modify User/Group Information - /etc/passwd ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1 Record Events that Modify User/Group Information - /etc/shadow ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1 Ensure auditd Collects records for events that affect "/var/log/journal" ocil:ssg-audit_rules_var_log_journal_action:testaction:1 Record Attempts to perform maintenance activities ocil:ssg-audit_sudo_log_events_action:testaction:1 Configure audispd Plugin To Send Logs To Remote Server ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1 Configure a Sufficiently Large Partition for Audit Logs ocil:ssg-auditd_audispd_configure_sufficiently_large_partition_action:testaction:1 Configure auditd Disk Error Action on Disk Error ocil:ssg-auditd_data_disk_error_action_action:testaction:1 Configure auditd Disk Full Action when Disk Space Is Full ocil:ssg-auditd_data_disk_full_action_action:testaction:1 Configure auditd mail_acct Action on Low Disk Space ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1 Configure auditd admin_space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1 Configure auditd Max Log File Size ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1 Configure auditd max_log_file_action Upon Reaching Maximum Log Size ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1 Configure auditd space_left Action on Low Disk Space ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1 Configure auditd space_left on Low Disk Space ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1 Offload audit Logs to External Media ocil:ssg-auditd_offload_logs_action:testaction:1 Ensure Local Login Warning Banner Is Configured Properly ocil:ssg-banner_etc_issue_cis_action:testaction:1 Modify the System Login Banner for Remote Connections ocil:ssg-banner_etc_issue_net_action:testaction:1 Ensure Remote Login Warning Banner Is Configured Properly ocil:ssg-banner_etc_issue_net_cis_action:testaction:1 Ensure Message Of The Day Is Configured Properly ocil:ssg-banner_etc_motd_cis_action:testaction:1 Enable NX or XD Support in the BIOS ocil:ssg-bios_enable_execution_restrictions_action:testaction:1 Chrony Configure Pool and Server ocil:ssg-chronyd_configure_pool_and_server_action:testaction:1 Configure Time Service Maxpoll Interval ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1 Ensure that chronyd is running under chrony user account ocil:ssg-chronyd_run_as_chrony_user_action:testaction:1 Synchronize internal information system clocks ocil:ssg-chronyd_sync_clock_action:testaction:1 Ensure apt_get Removes Previous Package Versions ocil:ssg-clean_components_post_updating_action:testaction:1 Enable GNOME3 Login Warning Banner ocil:ssg-dconf_gnome_banner_enabled_action:testaction:1 Disable GNOME3 Automounting ocil:ssg-dconf_gnome_disable_automount_action:testaction:1 Disable GNOME3 Automount Opening ocil:ssg-dconf_gnome_disable_automount_open_action:testaction:1 Disable GNOME3 Automount running ocil:ssg-dconf_gnome_disable_autorun_action:testaction:1 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 ocil:ssg-dconf_gnome_disable_ctrlaltdel_reboot_action:testaction:1 Disable the GNOME3 Login User List ocil:ssg-dconf_gnome_disable_user_list_action:testaction:1 Set the GNOME3 Login Warning Banner Text ocil:ssg-dconf_gnome_login_banner_text_action:testaction:1 Set GNOME3 Screensaver Inactivity Timeout ocil:ssg-dconf_gnome_screensaver_idle_delay_action:testaction:1 Set GNOME3 Screensaver Lock Delay After Activation Period ocil:ssg-dconf_gnome_screensaver_lock_delay_action:testaction:1 Enable GNOME3 Screensaver Lock After Idle Period ocil:ssg-dconf_gnome_screensaver_lock_enabled_action:testaction:1 Verify that Shared Library Directories Have Root Group Ownership ocil:ssg-dir_group_ownership_library_dirs_action:testaction:1 Verify that system commands directories are group owned by root ocil:ssg-dir_groupownership_binary_dirs_action:testaction:1 Verify that System Executable Have Root Ownership ocil:ssg-dir_ownership_binary_dirs_action:testaction:1 Verify that Shared Library Directories Have Root Ownership ocil:ssg-dir_ownership_library_dirs_action:testaction:1 Verify that System Executable Directories Have Restrictive Permissions ocil:ssg-dir_permissions_binary_dirs_action:testaction:1 Verify that All World-Writable Directories Have Sticky Bits Set ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1 System Audit Logs Must Have Mode 0750 or Less Permissive ocil:ssg-directory_permissions_var_log_audit_action:testaction:1 Disable Ctrl-Alt-Del Reboot Activation ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1 Disable Host-Based Authentication ocil:ssg-disable_host_auth_action:testaction:1 Disable Core Dumps for All Users ocil:ssg-disable_users_coredumps_action:testaction:1 Encrypt Partitions ocil:ssg-encrypt_partitions_action:testaction:1 Ensure Logrotate Runs Periodically ocil:ssg-ensure_logrotate_activated_action:testaction:1 Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty ocil:ssg-ensure_pam_wheel_group_empty_action:testaction:1 Ensure root account access is controlled ocil:ssg-ensure_root_access_controlled_action:testaction:1 Ensure real-time clock is set to UTC ocil:ssg-ensure_rtc_utc_configuration_action:testaction:1 Ensure shadow Group is Empty ocil:ssg-ensure_shadow_group_empty_action:testaction:1 Ensure sudo group has only necessary members ocil:ssg-ensure_sudo_group_restricted_action:testaction:1 Ensure that /etc/at.allow exists ocil:ssg-file_at_allow_exists_action:testaction:1 Ensure that /etc/cron.allow exists ocil:ssg-file_cron_allow_exists_action:testaction:1 Ensure that /etc/cron.deny does not exist ocil:ssg-file_cron_deny_not_exist_action:testaction:1 System Audit Logs Must Be Group Owned By Root ocil:ssg-file_group_ownership_var_log_audit_action:testaction:1 Verify Group Who Owns /etc/at.allow file ocil:ssg-file_groupowner_at_allow_action:testaction:1 Verify Group Who Owns /etc/at.deny file ocil:ssg-file_groupowner_at_deny_action:testaction:1 Verify Group Who Owns Backup group File ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1 Verify Group Who Owns Backup gshadow File ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1 Verify Group Who Owns Backup passwd File ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1 Verify User Who Owns Backup shadow File ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1 Verify Group Who Owns /etc/cron.allow file ocil:ssg-file_groupowner_cron_allow_action:testaction:1 Verify Group Who Owns cron.d ocil:ssg-file_groupowner_cron_d_action:testaction:1 Verify Group Who Owns cron.daily ocil:ssg-file_groupowner_cron_daily_action:testaction:1 Verify Group Who Owns cron.hourly ocil:ssg-file_groupowner_cron_hourly_action:testaction:1 Verify Group Who Owns cron.monthly ocil:ssg-file_groupowner_cron_monthly_action:testaction:1 Verify Group Who Owns cron.weekly ocil:ssg-file_groupowner_cron_weekly_action:testaction:1 Verify Group Who Owns Crontab ocil:ssg-file_groupowner_crontab_action:testaction:1 Verify Group Who Owns group File ocil:ssg-file_groupowner_etc_group_action:testaction:1 Verify Group Who Owns gshadow File ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1 Verify Group Ownership of System Login Banner ocil:ssg-file_groupowner_etc_issue_action:testaction:1 Verify Group Ownership of System Login Banner for Remote Connections ocil:ssg-file_groupowner_etc_issue_net_action:testaction:1 Verify Group Ownership of Message of the Day Banner ocil:ssg-file_groupowner_etc_motd_action:testaction:1 Verify Group Who Owns passwd File ocil:ssg-file_groupowner_etc_passwd_action:testaction:1 Verify Group Who Owns /etc/security/opasswd File ocil:ssg-file_groupowner_etc_security_opasswd_action:testaction:1 Verify Group Who Owns /etc/security/opasswd.old File ocil:ssg-file_groupowner_etc_security_opasswd_old_action:testaction:1 Verify Group Who Owns shadow File ocil:ssg-file_groupowner_etc_shadow_action:testaction:1 Verify Group Who Owns /etc/shells File ocil:ssg-file_groupowner_etc_shells_action:testaction:1 Verify Group Who Owns SSH Server config file ocil:ssg-file_groupowner_sshd_config_action:testaction:1 Verify Group Who Owns the system journal ocil:ssg-file_groupowner_system_journal_action:testaction:1 Verify Group Who Owns /var/log Directory ocil:ssg-file_groupowner_var_log_action:testaction:1 Verify Group Who Owns /var/log/auth.log File ocil:ssg-file_groupowner_var_log_auth_action:testaction:1 Verify Group Who Owns /var/log/cloud-init.log* File ocil:ssg-file_groupowner_var_log_cloud_init_action:testaction:1 Verify Group Who Owns /var/log/*.journal(~) File ocil:ssg-file_groupowner_var_log_journal_action:testaction:1 Verify Group Who Owns /var/log/lastlog File ocil:ssg-file_groupowner_var_log_lastlog_action:testaction:1 Verify Group Who Owns /var/log/localmessages* File ocil:ssg-file_groupowner_var_log_localmessages_action:testaction:1 Verify Group Who Owns /var/log/messages File ocil:ssg-file_groupowner_var_log_messages_action:testaction:1 Verify Group Who Owns /var/log/secure File ocil:ssg-file_groupowner_var_log_secure_action:testaction:1 Verify Group Who Owns /var/log/syslog File ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1 Verify Group Who Owns /var/log/waagent.log File ocil:ssg-file_groupowner_var_log_waagent_action:testaction:1 Verify Group Who Owns /var/log/(b|w)tmp(.*|-*) File ocil:ssg-file_groupowner_var_log_wbtmp_action:testaction:1 Verify that audit tools are owned by group root ocil:ssg-file_groupownership_audit_binaries_action:testaction:1 Audit Configuration Files Must Be Owned By Group root ocil:ssg-file_groupownership_audit_configuration_action:testaction:1 All Interactive User Home Directories Must Be Group-Owned By The Primary Group ocil:ssg-file_groupownership_home_directories_action:testaction:1 Verify that system commands files are group owned by root or a system account ocil:ssg-file_groupownership_system_commands_dirs_action:testaction:1 Verify ownership of log files ocil:ssg-file_groupownerships_var_log_action:testaction:1 Verify Groupownership of Files in /var/log/apt ocil:ssg-file_groupownerships_var_log_apt_action:testaction:1 Verify Groupownership of Files in /var/log/gdm ocil:ssg-file_groupownerships_var_log_gdm_action:testaction:1 Verify Groupownership of Files in /var/log/gdm3 ocil:ssg-file_groupownerships_var_log_gdm3_action:testaction:1 Verify Groupownership of Files in /var/log/landscape ocil:ssg-file_groupownerships_var_log_landscape_action:testaction:1 Verify Grouponwership of Files in /var/log/sssd ocil:ssg-file_groupownerships_var_log_sssd_action:testaction:1 Verify User Who Owns /etc/at.allow file ocil:ssg-file_owner_at_allow_action:testaction:1 Verify User Who Owns /etc/at.deny file ocil:ssg-file_owner_at_deny_action:testaction:1 Verify User Who Owns Backup group File ocil:ssg-file_owner_backup_etc_group_action:testaction:1 Verify User Who Owns Backup gshadow File ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1 Verify User Who Owns Backup passwd File ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1 Verify Group Who Owns Backup shadow File ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1 Verify User Who Owns /etc/cron.allow file ocil:ssg-file_owner_cron_allow_action:testaction:1 Verify Owner on cron.d ocil:ssg-file_owner_cron_d_action:testaction:1 Verify Owner on cron.daily ocil:ssg-file_owner_cron_daily_action:testaction:1 Verify Owner on cron.hourly ocil:ssg-file_owner_cron_hourly_action:testaction:1 Verify Owner on cron.monthly ocil:ssg-file_owner_cron_monthly_action:testaction:1 Verify Owner on cron.weekly ocil:ssg-file_owner_cron_weekly_action:testaction:1 Verify Owner on crontab ocil:ssg-file_owner_crontab_action:testaction:1 Verify User Who Owns group File ocil:ssg-file_owner_etc_group_action:testaction:1 Verify User Who Owns gshadow File ocil:ssg-file_owner_etc_gshadow_action:testaction:1 Verify ownership of System Login Banner ocil:ssg-file_owner_etc_issue_action:testaction:1 Verify ownership of System Login Banner for Remote Connections ocil:ssg-file_owner_etc_issue_net_action:testaction:1 Verify ownership of Message of the Day Banner ocil:ssg-file_owner_etc_motd_action:testaction:1 Verify User Who Owns passwd File ocil:ssg-file_owner_etc_passwd_action:testaction:1 Verify User Who Owns /etc/security/opasswd File ocil:ssg-file_owner_etc_security_opasswd_action:testaction:1 Verify User Who Owns /etc/security/opasswd.old File ocil:ssg-file_owner_etc_security_opasswd_old_action:testaction:1 Verify User Who Owns shadow File ocil:ssg-file_owner_etc_shadow_action:testaction:1 Verify Who Owns /etc/shells File ocil:ssg-file_owner_etc_shells_action:testaction:1 Verify /boot/grub/grub.cfg User Ownership ocil:ssg-file_owner_grub2_cfg_action:testaction:1 Verify Owner on SSH Server config file ocil:ssg-file_owner_sshd_config_action:testaction:1 Verify Owner on the system journal ocil:ssg-file_owner_system_journal_action:testaction:1 Verify User Who Owns /var/log Directory ocil:ssg-file_owner_var_log_action:testaction:1 Verify User Who Owns /var/log/auth.log File ocil:ssg-file_owner_var_log_auth_action:testaction:1 Verify User Who Owns /var/log/cloud-init.log File ocil:ssg-file_owner_var_log_cloud_init_action:testaction:1 Verify User Who Owns /var/log/*.journal(~) Files ocil:ssg-file_owner_var_log_journal_action:testaction:1 Verify User Who Owns /var/log/lastlog File ocil:ssg-file_owner_var_log_lastlog_action:testaction:1 Verify User Who Owns /var/log/localmessages File ocil:ssg-file_owner_var_log_localmessages_action:testaction:1 Verify User Who Owns /var/log/messages File ocil:ssg-file_owner_var_log_messages_action:testaction:1 Verify User Who Owns /var/log/secure File ocil:ssg-file_owner_var_log_secure_action:testaction:1 Verify User Who Owns /var/log/syslog File ocil:ssg-file_owner_var_log_syslog_action:testaction:1 Verify User Who Owns /var/log/waagent.log File ocil:ssg-file_owner_var_log_waagent_action:testaction:1 Verify User Who Owns /var/log/(b|w)tmp(.*|-*) File ocil:ssg-file_owner_var_log_wbtmp_action:testaction:1 Verify that audit tools are owned by root ocil:ssg-file_ownership_audit_binaries_action:testaction:1 Audit Configuration Files Must Be Owned By Root ocil:ssg-file_ownership_audit_configuration_action:testaction:1 Verify that System Executables Have Root Ownership ocil:ssg-file_ownership_binary_dirs_action:testaction:1 All Interactive User Home Directories Must Be Owned By The Primary User ocil:ssg-file_ownership_home_directories_action:testaction:1 Verify that Shared Library Files Have Root Ownership ocil:ssg-file_ownership_library_dirs_action:testaction:1 System Audit Logs Must Be Owned By Root ocil:ssg-file_ownership_var_log_audit_stig_action:testaction:1 Verify ownership of log files ocil:ssg-file_ownerships_var_log_action:testaction:1 Verify Ownership of Files in /var/log/apt ocil:ssg-file_ownerships_var_log_apt_action:testaction:1 Verify Ownership of Files in /var/log/gdm ocil:ssg-file_ownerships_var_log_gdm_action:testaction:1 Verify Ownership of Files in /var/log/gdm3 ocil:ssg-file_ownerships_var_log_gdm3_action:testaction:1 Verify Ownership of Files in /var/log/landscape ocil:ssg-file_ownerships_var_log_landscape_action:testaction:1 Verify Ownership of Files in /var/log/sssd ocil:ssg-file_ownerships_var_log_sssd_action:testaction:1 Ensure User Bash History File Has Correct Permissions ocil:ssg-file_permission_user_bash_history_action:testaction:1 Ensure All User Initialization Files Have Mode 0740 Or Less Permissive ocil:ssg-file_permission_user_init_files_action:testaction:1 Verify Permissions on /etc/at.allow file ocil:ssg-file_permissions_at_allow_action:testaction:1 Verify Permissions on /etc/at.deny file ocil:ssg-file_permissions_at_deny_action:testaction:1 Verify that audit tools Have Mode 0755 or less ocil:ssg-file_permissions_audit_binaries_action:testaction:1 Verify Permissions on Backup group File ocil:ssg-file_permissions_backup_etc_group_action:testaction:1 Verify Permissions on Backup gshadow File ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1 Verify Permissions on Backup passwd File ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1 Verify Permissions on Backup shadow File ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1 Verify that System Executables Have Restrictive Permissions ocil:ssg-file_permissions_binary_dirs_action:testaction:1 Verify Permissions on /etc/cron.allow file ocil:ssg-file_permissions_cron_allow_action:testaction:1 Verify Permissions on cron.d ocil:ssg-file_permissions_cron_d_action:testaction:1 Verify Permissions on cron.daily ocil:ssg-file_permissions_cron_daily_action:testaction:1 Verify Permissions on cron.hourly ocil:ssg-file_permissions_cron_hourly_action:testaction:1 Verify Permissions on cron.monthly ocil:ssg-file_permissions_cron_monthly_action:testaction:1 Verify Permissions on cron.weekly ocil:ssg-file_permissions_cron_weekly_action:testaction:1 Verify Permissions on crontab ocil:ssg-file_permissions_crontab_action:testaction:1 Verify Permissions on /etc/audit/auditd.conf ocil:ssg-file_permissions_etc_audit_auditd_action:testaction:1 Verify Permissions on /etc/audit/audit.rules ocil:ssg-file_permissions_etc_audit_rules_action:testaction:1 Verify Permissions on /etc/audit/rules.d/*.rules ocil:ssg-file_permissions_etc_audit_rulesd_action:testaction:1 Verify Permissions on group File ocil:ssg-file_permissions_etc_group_action:testaction:1 Verify Permissions on gshadow File ocil:ssg-file_permissions_etc_gshadow_action:testaction:1 Verify permissions on System Login Banner ocil:ssg-file_permissions_etc_issue_action:testaction:1 Verify permissions on System Login Banner for Remote Connections ocil:ssg-file_permissions_etc_issue_net_action:testaction:1 Verify permissions on Message of the Day Banner ocil:ssg-file_permissions_etc_motd_action:testaction:1 Verify Permissions on passwd File ocil:ssg-file_permissions_etc_passwd_action:testaction:1 Verify Permissions on /etc/security/opasswd File ocil:ssg-file_permissions_etc_security_opasswd_action:testaction:1 Verify Permissions on /etc/security/opasswd.old File ocil:ssg-file_permissions_etc_security_opasswd_old_action:testaction:1 Verify Permissions on shadow File ocil:ssg-file_permissions_etc_shadow_action:testaction:1 Verify Permissions on /etc/shells File ocil:ssg-file_permissions_etc_shells_action:testaction:1 Verify /boot/grub/grub.cfg Permissions ocil:ssg-file_permissions_grub2_cfg_action:testaction:1 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive ocil:ssg-file_permissions_home_directories_action:testaction:1 Verify that Shared Library Files Have Restrictive Permissions ocil:ssg-file_permissions_library_dirs_action:testaction:1 Verify Permissions on SSH Server config file ocil:ssg-file_permissions_sshd_config_action:testaction:1 Verify Permissions on SSH Server Private *_key Key Files ocil:ssg-file_permissions_sshd_private_key_action:testaction:1 Verify Permissions on SSH Server Public *.pub Key Files ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1 Verify Permissions on the system journal ocil:ssg-file_permissions_system_journal_action:testaction:1 Verify Permissions on System.map Files ocil:ssg-file_permissions_systemmap_action:testaction:1 Ensure No World-Writable Files Exist ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1 Ensure All Files Are Owned by a Group ocil:ssg-file_permissions_ungroupowned_action:testaction:1 Verify Permissions on /var/log Directory ocil:ssg-file_permissions_var_log_action:testaction:1 Verify Permissions on files in the /var/log/apt/.* directory ocil:ssg-file_permissions_var_log_apt_action:testaction:1 System Audit Logs Must Have Mode 0640 or Less Permissive ocil:ssg-file_permissions_var_log_audit_action:testaction:1 Verify Permissions on /var/log/auth.log File ocil:ssg-file_permissions_var_log_auth_action:testaction:1 Verify Permissions on /var/log/cloud-init.log(.*) Files ocil:ssg-file_permissions_var_log_cloud-init_action:testaction:1 Verify Permissions of Files in /var/log/gdm ocil:ssg-file_permissions_var_log_gdm_action:testaction:1 Verify Permissions of Files in /var/log/gdm3 ocil:ssg-file_permissions_var_log_gdm3_action:testaction:1 Verify Permissions on /var/log/lastlog(.*) Files ocil:ssg-file_permissions_var_log_lastlog_action:testaction:1 Verify Permissions on /var/log/localmessages(.*) Files ocil:ssg-file_permissions_var_log_localmessages_action:testaction:1 Verify Permissions on /var/log/messages File ocil:ssg-file_permissions_var_log_messages_action:testaction:1 Verify Permissions on /var/log/secure File ocil:ssg-file_permissions_var_log_secure_action:testaction:1 Verify Permissions of Files in /var/log/sssd ocil:ssg-file_permissions_var_log_sssd_action:testaction:1 Verify Permissions on /var/log/syslog File ocil:ssg-file_permissions_var_log_syslog_action:testaction:1 Verify Permissions on /var/log/waagent.log(.*) Files ocil:ssg-file_permissions_var_log_waagent_action:testaction:1 Verify Permissions on /var/log/wtmp(.*) Files ocil:ssg-file_permissions_var_log_wbtmp_action:testaction:1 All GIDs referenced in /etc/passwd must be defined in /etc/group ocil:ssg-gid_passwd_group_same_action:testaction:1 Disable XDMCP in GDM ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1 Ensure All Groups on the System Have Unique Group ID ocil:ssg-group_unique_id_action:testaction:1 Ensure All Groups on the System Have Unique Group Names ocil:ssg-group_unique_name_action:testaction:1 Verify Only Group Root Has GID 0 ocil:ssg-groups_no_zero_gid_except_root_action:testaction:1 Enable Auditing for Processes Which Start Prior to the Audit Daemon ocil:ssg-grub2_audit_argument_action:testaction:1 Extend Audit Backlog Limit for the Audit Daemon ocil:ssg-grub2_audit_backlog_limit_argument_action:testaction:1 Set Boot Loader Password in grub2 ocil:ssg-grub2_password_action:testaction:1 Set the UEFI Boot Loader Password ocil:ssg-grub2_uefi_password_action:testaction:1 Ensure Mail Transfer Agent is not Listening on any non-loopback Address ocil:ssg-has_nonlocal_mta_action:testaction:1 Install Smart Card Packages For Multifactor Authentication ocil:ssg-install_smartcard_packages_action:testaction:1 Ensure ip6tables Firewall Rules Exist for All Open Ports ocil:ssg-ip6tables_rules_for_open_ports_action:testaction:1 Ensure iptables Firewall Rules Exist for All Open Ports ocil:ssg-iptables_rules_for_open_ports_action:testaction:1 Verify '/proc/sys/crypto/fips_enabled' exists ocil:ssg-is_fips_mode_enabled_action:testaction:1 Ensure journald is configured to compress large log files ocil:ssg-journald_compress_action:testaction:1 Ensure journald ForwardToSyslog is disabled ocil:ssg-journald_disable_forward_to_syslog_action:testaction:1 Ensure journald is configured to write log files to persistent disk ocil:ssg-journald_storage_action:testaction:1 Disable Mounting of cramfs ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1 Disable DCCP Support ocil:ssg-kernel_module_dccp_disabled_action:testaction:1 Disable RDS Support ocil:ssg-kernel_module_rds_disabled_action:testaction:1 Disable SCTP Support ocil:ssg-kernel_module_sctp_disabled_action:testaction:1 Disable TIPC Support ocil:ssg-kernel_module_tipc_disabled_action:testaction:1 Disable Modprobe Loading of USB Storage Driver ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1 Add nodev Option to /dev/shm ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1 Add noexec Option to /dev/shm ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1 Add nosuid Option to /dev/shm ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1 Add nodev Option to /home ocil:ssg-mount_option_home_nodev_action:testaction:1 Add nosuid Option to /home ocil:ssg-mount_option_home_nosuid_action:testaction:1 Add nodev Option to /tmp ocil:ssg-mount_option_tmp_nodev_action:testaction:1 Add noexec Option to /tmp ocil:ssg-mount_option_tmp_noexec_action:testaction:1 Add nosuid Option to /tmp ocil:ssg-mount_option_tmp_nosuid_action:testaction:1 Add nodev Option to /var/log/audit ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1 Add noexec Option to /var/log/audit ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1 Add nosuid Option to /var/log/audit ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1 Add nodev Option to /var/log ocil:ssg-mount_option_var_log_nodev_action:testaction:1 Add noexec Option to /var/log ocil:ssg-mount_option_var_log_noexec_action:testaction:1 Add nosuid Option to /var/log ocil:ssg-mount_option_var_log_nosuid_action:testaction:1 Add nodev Option to /var ocil:ssg-mount_option_var_nodev_action:testaction:1 Add nosuid Option to /var ocil:ssg-mount_option_var_nosuid_action:testaction:1 Add nodev Option to /var/tmp ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1 Add noexec Option to /var/tmp ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1 Add nosuid Option to /var/tmp ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1 Ensure nftables Default Deny Firewall Policy ocil:ssg-nftables_ensure_default_deny_policy_action:testaction:1 Ensure nftables Rules are Permanent ocil:ssg-nftables_rules_permanent_action:testaction:1 Prevent Login to Accounts With Empty Password ocil:ssg-no_empty_passwords_action:testaction:1 Ensure There Are No Accounts With Blank or Null Passwords ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1 Ensure All Files Are Owned by a User ocil:ssg-no_files_unowned_by_user_action:testaction:1 Verify No .forward Files Exist ocil:ssg-no_forward_files_action:testaction:1 Verify No netrc Files Exist ocil:ssg-no_netrc_files_action:testaction:1 Ensure nologin Shell is Not Listed in /etc/shells ocil:ssg-no_nologin_in_shells_action:testaction:1 Remove Rsh Trust Files ocil:ssg-no_rsh_trust_files_action:testaction:1 Ensure that System Accounts Do Not Run a Shell Upon Login ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1 Install AIDE ocil:ssg-package_aide_installed_action:testaction:1 Ensure the default plugins for the audit dispatcher are Installed ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1 Ensure the audit Subsystem is Installed ocil:ssg-package_audit_installed_action:testaction:1 Remove autofs Package ocil:ssg-package_autofs_removed_action:testaction:1 Uninstall avahi Server Package ocil:ssg-package_avahi_removed_action:testaction:1 Uninstall bind Package ocil:ssg-package_bind_removed_action:testaction:1 The Chrony package is installed ocil:ssg-package_chrony_installed_action:testaction:1 Install the cron service ocil:ssg-package_cron_installed_action:testaction:1 Uninstall CUPS Package ocil:ssg-package_cups_removed_action:testaction:1 Uninstall DHCP Server Package ocil:ssg-package_dhcp_removed_action:testaction:1 Uninstall dnsmasq Package ocil:ssg-package_dnsmasq_removed_action:testaction:1 Uninstall dovecot Package ocil:ssg-package_dovecot_removed_action:testaction:1 Remove ftp Package ocil:ssg-package_ftp_removed_action:testaction:1 Remove the GDM Package Group ocil:ssg-package_gdm_removed_action:testaction:1 Uninstall apache2 Package ocil:ssg-package_httpd_removed_action:testaction:1 Install iptables-persistent Package ocil:ssg-package_iptables-persistent_installed_action:testaction:1 Remove iptables-persistent Package ocil:ssg-package_iptables-persistent_removed_action:testaction:1 Install iptables Package ocil:ssg-package_iptables_installed_action:testaction:1 Uninstall net-snmp Package ocil:ssg-package_net-snmp_removed_action:testaction:1 Uninstall nfs-kernel-server Package ocil:ssg-package_nfs-kernel-server_removed_action:testaction:1 Install nftables Package ocil:ssg-package_nftables_installed_action:testaction:1 Uninstall nginx Package ocil:ssg-package_nginx_removed_action:testaction:1 Ensure LDAP client is not installed ocil:ssg-package_openldap-clients_removed_action:testaction:1 Uninstall openldap-servers Package ocil:ssg-package_openldap-servers_removed_action:testaction:1 Install the opensc Package For Multifactor Authentication ocil:ssg-package_opensc_installed_action:testaction:1 Install the OpenSSH Server Package ocil:ssg-package_openssh-server_installed_action:testaction:1 Install pam_pwquality Package ocil:ssg-package_pam_pwquality_installed_action:testaction:1 Uninstall rpcbind Package ocil:ssg-package_rpcbind_removed_action:testaction:1 Uninstall rsh-server Package ocil:ssg-package_rsh-server_removed_action:testaction:1 Uninstall rsh Package ocil:ssg-package_rsh_removed_action:testaction:1 Uninstall rsync Package ocil:ssg-package_rsync_removed_action:testaction:1 Ensure rsyslog is Installed ocil:ssg-package_rsyslog_installed_action:testaction:1 Uninstall Samba Package ocil:ssg-package_samba_removed_action:testaction:1 Uninstall squid Package ocil:ssg-package_squid_removed_action:testaction:1 Install sudo Package ocil:ssg-package_sudo_installed_action:testaction:1 Install systemd-journal-remote Package ocil:ssg-package_systemd-journal-remote_installed_action:testaction:1 Uninstall talk Package ocil:ssg-package_talk_removed_action:testaction:1 Remove telnet Clients ocil:ssg-package_telnet_removed_action:testaction:1 Uninstall tftpd-hpa Package ocil:ssg-package_tftp-server_removed_action:testaction:1 Install ufw Package ocil:ssg-package_ufw_installed_action:testaction:1 Remove ufw Package ocil:ssg-package_ufw_removed_action:testaction:1 Uninstall vsftpd Package ocil:ssg-package_vsftpd_removed_action:testaction:1 Uninstall xinetd Package ocil:ssg-package_xinetd_removed_action:testaction:1 Remove the X Windows Package Group ocil:ssg-package_xorg-x11-server-common_removed_action:testaction:1 Uninstall ypserv Package ocil:ssg-package_ypserv_removed_action:testaction:1 Ensure /dev/shm is configured ocil:ssg-partition_for_dev_shm_action:testaction:1 Ensure /home Located On Separate Partition ocil:ssg-partition_for_home_action:testaction:1 Ensure /tmp Located On Separate Partition ocil:ssg-partition_for_tmp_action:testaction:1 Ensure /var Located On Separate Partition ocil:ssg-partition_for_var_action:testaction:1 Ensure /var/log Located On Separate Partition ocil:ssg-partition_for_var_log_action:testaction:1 Ensure /var/log/audit Located On Separate Partition ocil:ssg-partition_for_var_log_audit_action:testaction:1 Ensure /var/tmp Located On Separate Partition ocil:ssg-partition_for_var_tmp_action:testaction:1 Verify permissions of log files ocil:ssg-permissions_local_var_log_action:testaction:1 Disable Postfix Network Listening ocil:ssg-postfix_network_listening_disabled_action:testaction:1 Direct root Logins Are Not Allowed ocil:ssg-prevent_direct_root_logins_action:testaction:1 Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root or a required system account. ocil:ssg-root_permissions_syslibrary_files_action:testaction:1 Ensure Log Files Are Owned By Appropriate Group ocil:ssg-rsyslog_files_groupownership_action:testaction:1 Ensure Log Files Are Owned By Appropriate User ocil:ssg-rsyslog_files_ownership_action:testaction:1 Ensure System Log Files Have Correct Permissions ocil:ssg-rsyslog_files_permissions_action:testaction:1 Ensure remote access methods are monitored in Rsyslog ocil:ssg-rsyslog_remote_access_monitoring_action:testaction:1 Enable auditd Service ocil:ssg-service_auditd_enabled_action:testaction:1 Disable the Automounter ocil:ssg-service_autofs_disabled_action:testaction:1 Disable Avahi Server Software ocil:ssg-service_avahi-daemon_disabled_action:testaction:1 Disable Bluetooth Service ocil:ssg-service_bluetooth_disabled_action:testaction:1 The Chronyd service is enabled ocil:ssg-service_chronyd_enabled_action:testaction:1 Enable cron Service ocil:ssg-service_cron_enabled_action:testaction:1 Disable the CUPS Service ocil:ssg-service_cups_disabled_action:testaction:1 Disable DHCP Service ocil:ssg-service_dhcpd_disabled_action:testaction:1 Disable Dovecot Service ocil:ssg-service_dovecot_disabled_action:testaction:1 Disable apache2 Service ocil:ssg-service_httpd_disabled_action:testaction:1 Disable KDump Kernel Crash Analyzer (kdump) ocil:ssg-service_kdump_disabled_action:testaction:1 Disable Network File System (nfs) ocil:ssg-service_nfs_disabled_action:testaction:1 Verify nftables Service is Disabled ocil:ssg-service_nftables_disabled_action:testaction:1 Verify nftables Service is Enabled ocil:ssg-service_nftables_enabled_action:testaction:1 Disable nginx Service ocil:ssg-service_nginx_disabled_action:testaction:1 Ensure rsyncd service is disabled ocil:ssg-service_rsyncd_disabled_action:testaction:1 Enable rsyslog Service ocil:ssg-service_rsyslog_enabled_action:testaction:1 Disable LDAP Server (slapd) ocil:ssg-service_slapd_disabled_action:testaction:1 Disable Samba ocil:ssg-service_smb_disabled_action:testaction:1 Disable snmpd Service ocil:ssg-service_snmpd_disabled_action:testaction:1 Disable Squid ocil:ssg-service_squid_disabled_action:testaction:1 Enable the OpenSSH Service ocil:ssg-service_sshd_enabled_action:testaction:1 Enable systemd-journal-upload Service ocil:ssg-service_systemd-journal-upload_enabled_action:testaction:1 Enable systemd-journald Service ocil:ssg-service_systemd-journald_enabled_action:testaction:1 Disable tftpd-hpa Service ocil:ssg-service_tftp_disabled_action:testaction:1 Configure Systemd Timesyncd Servers ocil:ssg-service_timesyncd_configured_action:testaction:1 Enable systemd_timesyncd Service ocil:ssg-service_timesyncd_enabled_action:testaction:1 Verify ufw Enabled ocil:ssg-service_ufw_enabled_action:testaction:1 Disable vsftpd Service ocil:ssg-service_vsftpd_disabled_action:testaction:1 Disable xinetd Service ocil:ssg-service_xinetd_disabled_action:testaction:1 Disable ypserv Service ocil:ssg-service_ypserv_disabled_action:testaction:1 Set Default ip6tables Policy for Incoming Packets ocil:ssg-set_ip6tables_default_rule_action:testaction:1 Set Default iptables Policy for Incoming Packets ocil:ssg-set_iptables_default_rule_action:testaction:1 Set configuration for IPv6 loopback traffic ocil:ssg-set_ipv6_loopback_traffic_action:testaction:1 Set configuration for loopback traffic ocil:ssg-set_loopback_traffic_action:testaction:1 Ensure Base Chains Exist for Nftables ocil:ssg-set_nftables_base_chain_action:testaction:1 Set nftables Configuration for Loopback Traffic ocil:ssg-set_nftables_loopback_traffic_action:testaction:1 Ensure a Table Exists for Nftables ocil:ssg-set_nftables_table_action:testaction:1 Set Password Hashing Algorithm in /etc/login.defs ocil:ssg-set_password_hashing_algorithm_logindefs_action:testaction:1 Set PAM''s Password Hashing Algorithm ocil:ssg-set_password_hashing_algorithm_systemauth_action:testaction:1 Ensure ufw Default Deny Firewall Policy ocil:ssg-set_ufw_default_rule_action:testaction:1 Set UFW Loopback Traffic ocil:ssg-set_ufw_loopback_traffic_action:testaction:1 Configure Smart Card Certificate Authority Validation ocil:ssg-smartcard_configure_ca_action:testaction:1 Configure Smart Card Certificate Status Checking ocil:ssg-smartcard_configure_cert_checking_action:testaction:1 Configure Smart Card Local Cache of Revocation Data ocil:ssg-smartcard_configure_crl_action:testaction:1 Enable Smart Card Logins in PAM ocil:ssg-smartcard_pam_enabled_action:testaction:1 Disable systemd-journal-remote Socket ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1 Disable SSH Access via Empty Passwords ocil:ssg-sshd_disable_empty_passwords_action:testaction:1 Disable SSH Forwarding ocil:ssg-sshd_disable_forwarding_action:testaction:1 Disable GSSAPI Authentication ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1 Disable SSH Support for .rhosts Files ocil:ssg-sshd_disable_rhosts_action:testaction:1 Disable SSH Root Login ocil:ssg-sshd_disable_root_login_action:testaction:1 Disable X11 Forwarding ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1 Do Not Allow SSH Environment Options ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1 Enable PAM ocil:ssg-sshd_enable_pam_action:testaction:1 Enable Public Key Authentication ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1 Enable SSH Warning Banner ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1 Limit Users' SSH Access ocil:ssg-sshd_limit_user_access_action:testaction:1 Set SSH Client Alive Interval ocil:ssg-sshd_set_idle_timeout_action:testaction:1 Set SSH Client Alive Count Max ocil:ssg-sshd_set_keepalive_action:testaction:1 Ensure SSH LoginGraceTime is configured ocil:ssg-sshd_set_login_grace_time_action:testaction:1 Set LogLevel to INFO ocil:ssg-sshd_set_loglevel_info_action:testaction:1 Set SSH authentication attempt limit ocil:ssg-sshd_set_max_auth_tries_action:testaction:1 Set SSH MaxSessions limit ocil:ssg-sshd_set_max_sessions_action:testaction:1 Ensure SSH MaxStartups is configured ocil:ssg-sshd_set_maxstartups_action:testaction:1 Use Only FIPS 140-2 Validated Ciphers ocil:ssg-sshd_use_approved_ciphers_ordered_stig_action:testaction:1 Use Only FIPS 140-2 Validated Key Exchange Algorithms ocil:ssg-sshd_use_approved_kex_ordered_stig_action:testaction:1 Use Only FIPS 140-2 Validated MACs ocil:ssg-sshd_use_approved_macs_ordered_stig_action:testaction:1 Use Only Strong Ciphers ocil:ssg-sshd_use_strong_ciphers_action:testaction:1 Use Only Strong Key Exchange algorithms ocil:ssg-sshd_use_strong_kex_action:testaction:1 Use Only Strong MACs ocil:ssg-sshd_use_strong_macs_action:testaction:1 Prevent remote hosts from connecting to the proxy display ocil:ssg-sshd_x11_use_localhost_action:testaction:1 Configure SSSD to Expire Offline Credentials ocil:ssg-sssd_offline_cred_expiration_action:testaction:1 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty ocil:ssg-sudo_add_use_pty_action:testaction:1 Ensure Sudo Logfile Exists - sudo logfile ocil:ssg-sudo_custom_logfile_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate ocil:ssg-sudo_remove_no_authenticate_action:testaction:1 Ensure Users Re-Authenticate for Privilege Escalation - sudo ocil:ssg-sudo_require_authentication_action:testaction:1 Require Re-Authentication When Using the sudo Command ocil:ssg-sudo_require_reauthentication_action:testaction:1 Enable Kernel Parameter to Enforce DAC on Hardlinks ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1 Enable Kernel Parameter to Enforce DAC on Symlinks ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1 Disable Core Dumps for SUID programs ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1 Restrict Access to Kernel Message Buffer ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1 Enable Randomized Layout of Virtual Address Space ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1 Restrict usage of ptrace to descendant processes ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1 Disable Accepting ICMP Redirects for All IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1 Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1 Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1 Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1 Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1 Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1 Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1 Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1 Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1 Configure Kernel Parameter for Accepting Secure Redirects By Default ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1 Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1 Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1 Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1 Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1 Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1 Configure Accepting Router Advertisements on All IPv6 Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1 Disable Accepting ICMP Redirects for All IPv6 Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1 Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1 Disable Kernel Parameter for IPv6 Forwarding ocil:ssg-sysctl_net_ipv6_conf_all_forwarding_action:testaction:1 Disable Accepting Router Advertisements on all IPv6 Interfaces by Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1 Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1 Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1 Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile ocil:ssg-systemd_journal_upload_server_tls_action:testaction:1 Configure systemd-journal-upload URL ocil:ssg-systemd_journal_upload_url_action:testaction:1 Only Allow Authorized Network Services in ufw ocil:ssg-ufw_only_required_services_action:testaction:1 ufw Must rate-limit network interfaces ocil:ssg-ufw_rate_limit_action:testaction:1 Ensure ufw Firewall Rules Exist for All Open Ports ocil:ssg-ufw_rules_for_open_ports_action:testaction:1 Enforce Usage of pam_wheel with Group Parameter for su Authentication ocil:ssg-use_pam_wheel_group_for_su_action:testaction:1 Verify that 'use_mappers' is set to 'pwent' in PAM ocil:ssg-verify_use_mappers_action:testaction:1 Check that vlock is installed to allow session locking ocil:ssg-vlock_installed_action:testaction:1 Deactivate Wireless Network Interfaces ocil:ssg-wireless_disable_interfaces_action:testaction:1 Enable Auditing to Start Prior to the Audit Daemon in zIPL ocil:ssg-zipl_audit_argument_action:testaction:1 Extend Audit Backlog Limit for the Audit Daemon in zIPL ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1 PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL To verify the INACTIVE setting, run the following command: $ grep "INACTIVE" /etc/default/useradd The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: $ grep "INACTIVE" /etc/default/useradd INACTIVE= Is it the case that the value of INACTIVE is greater than the expected value or is -1? Verify that temporary accounts have been provisioned with an expiration date of 72 hours. For every temporary account, run the following command to obtain its account aging and expiration information: $ sudo chage -l temporary_account_name Verify each of these accounts has an expiration date set within 72 hours or as documented. Is it the case that any temporary accounts have no expiration date set or do not expire within 72 hours? Verify that Ubuntu 22.04 contains no duplicate User IDs (UIDs) for interactive users. Check that the operating system contains no duplicate UIDs for interactive users with the following command: $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd Is it the case that output is produced and the accounts listed are interactive user accounts? To verify all accounts have unique names, run the following command: $ sudo getent passwd | awk -F: '{ print $1}' | uniq -d No output should be returned. Is it the case that a line is returned? Verify Ubuntu 22.04 limits the number of concurrent sessions to "" for all accounts and/or account types with the following command: $ grep -r -s maxlogins /etc/security/limits.conf /etc/security/limits.d/*.conf /etc/security/limits.conf:* hard maxlogins 10 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Is it the case that the "maxlogins" item is missing, commented out, or the value is set greater than "<sub idref="var_accounts_max_concurrent_login_sessions" />" and is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "maxlogins" item assigned'? Verify that Ubuntu 22.04 enforces a -day maximum password lifetime for new user accounts by running the following command: $ grep -i pass_max_days /etc/login.defs PASS_MAX_DAYS Is it the case that the "PASS_MAX_DAYS" parameter value is greater than "<sub idref="var_accounts_maximum_age_login_defs" />", or commented out? Verify Ubuntu 22.04 enforces 24 hours/one day as the minimum password lifetime for new user accounts. Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: $ grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS Is it the case that the "PASS_MIN_DAYS" parameter value is not "<sub idref="var_accounts_minimum_age_login_defs" />" or greater, or is commented out? Verify that only the "root" account has a UID "0" assignment with the following command: $ awk -F: '$3 == 0 {print $1}' /etc/passwd root Is it the case that any accounts other than "root" have a UID of "0"? To check that no password hashes are stored in /etc/passwd, run the following command: awk '!/\S:x|\*/ {print}' /etc/passwd If it produces any output, then a password hash is stored in /etc/passwd. Is it the case that any stored hashes are found in /etc/passwd? Verify that the interactive user account passwords last change time is not in the future The following command should return no output $ sudo expiration=$(cat /etc/shadow|awk -F ':' '{print $3}'); for edate in ${expiration[@]}; do if [[ $edate > $(( $(date +%s)/86400 )) ]]; then echo "Expiry date in future"; fi; done Is it the case that any interactive user password that has last change time in the future? Verify that Ubuntu 22.04 enforces password complexity by requiring that at least one numeric character be used. Check the value for "dcredit" with the following command: $ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf:dcredit = Is it the case that the value of "dcredit" is a positive number or is commented out? Verify Ubuntu 22.04 prevents the use of dictionary words for passwords with the following command: $ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf /etc/security/pwquality.conf:dictcheck=1 Is it the case that "dictcheck" does not have a value other than "0", or is commented out? Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command: $ sudo grep difok /etc/security/pwquality.conf difok = Is it the case that the value of "difok" is set to less than "<sub idref="var_password_pam_difok" />", or is commented out? Verify that Ubuntu 22.04 enforces password complexity rules for the root account. Check if root user is required to use complex passwords with the following command: $ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf:enforce_for_root Is it the case that "enforce_for_root" is commented or missing? To verify that enforcing is correctly applied, run the following command: $ grep -i enforcing /etc/security/pwquality.conf The output should return enforcing = 1 uncommented. Is it the case that enforcing is not uncommented or configured correctly? Verify that Ubuntu 22.04 enforces password complexity by requiring that at least one lower-case character. Check the value for "lcredit" with the following command: $ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf /etc/security/pwquality.conf:lcredit = -1 Is it the case that the value of "lcredit" is a positive number or is commented out? Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command: $ grep maxrepeat /etc/security/pwquality.conf maxrepeat = Is it the case that the value of "maxrepeat" is set to more than "<sub idref="var_password_pam_maxrepeat" />" or is commented out? Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command: $ grep minclass /etc/security/pwquality.conf minclass = Is it the case that the value of "minclass" is set to less than "<sub idref="var_password_pam_minclass" />" or is commented out? Verify that Ubuntu 22.04 enforces a minimum -character password length with the following command: $ grep minlen /etc/security/pwquality.conf minlen = Is it the case that the command does not return a "minlen" value of "<sub idref="var_password_pam_minlen" />" or greater, does not return a line, or the line is commented out? Verify that Ubuntu 22.04 enforces password complexity by requiring that at least one special character with the following command: $ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf ocredit = Is it the case that value of "ocredit" is a positive number or is commented out? Check that the SUSE operating system prohibits the reuse of a password for a minimum of generations with the following command: # grep pam_pwhistory.so /etc/pam.d/common-password password requisite pam_pwhistory.so remember= use_authtok If the command does not return a result, or the returned line is commented out, has a second column value different from "requisite", does not contain "remember" value, the value is less than , or is missing the "use_authtok" keyword, this is a finding. Is it the case that the value of remember is not set equal to or greater than <sub idref="var_password_pam_remember" />? Verify Ubuntu 22.04 is configured to limit the "pwquality" retry option to . Check for the use of the "pwquality" retry option in the PAM files with the following command: $ grep pam_pwquality /etc/pam.d/common-password password requisite pam_pwquality.so retry= Is it the case that the value of "retry" is set to "0" or greater than "<sub idref="var_password_pam_retry" />", or is missing? Verify that Ubuntu 22.04 enforces password complexity by requiring that at least one upper-case character. Check the value for "ucredit" with the following command: $ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf ucredit = -1 Is it the case that the value of "ucredit" is a positive number or is commented out? To verify the password reuse setting is compliant, run the following command: $ grep use_authtok /etc/pam.d/common-password The output should show use_authtok on the line. Is it the case that Usage of use_authtok for pam_unix.so is required? Check whether the maximum time period for existing passwords is restricted to days with the following commands: $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow $ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow Is it the case that any results are returned that are not associated with a system account? Verify that Ubuntu 22.04 has configured the minimum time period between password changes for each user account is one day or greater with the following command: $ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow Is it the case that any results are returned that are not associated with a system account? To check the password warning age, run the command: $ grep PASS_WARN_AGE /etc/login.defs The profile requirement is . Is it the case that it is not set to the required value? Verify that the Ubuntu 22.04 operating system enforces a minimum delay between logon prompts following a failed logon attempt. # grep pam_faildelay /etc/pam.d/common-auth auth required pam_faildelay.so delay= If the value of delay is not set to or greater, "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing completely, this is a finding. Is it the case that the value of delay is not set properly or the line is commented or missing? Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: $ sudo grep audit /etc/security/faillock.conf audit Is it the case that the "audit" option is not set, is missing or commented out? Verify Ubuntu 22.04 is configured to lock an account after unsuccessful logon attempts with the command: $ grep 'deny =' /etc/security/faillock.conf deny = . Is it the case that the "deny" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_deny" />" or less (but not "0"), is missing or commented out? To ensure the failed password attempt policy is configured correctly, run the following command: $ grep fail_interval /etc/security/faillock.conf The output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater. Is it the case that the "fail_interval" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />" or less (but not "0"), the line is commented out, or the line is missing? To ensure that the system prevents messages from being shown when three unsuccessful logon attempts occur, run the following command: $ grep silent /etc/security/faillock.conf The output should show silent. Is it the case that the system shows messages when three unsuccessful logon attempts occur? Verify Ubuntu 22.04 is configured to lock an account until released by an administrator after unsuccessful logon attempts with the command: $ grep 'unlock_time =' /etc/security/faillock.conf unlock_time = Is it the case that the "unlock_time" option is not set to "<sub idref="var_accounts_passwords_pam_faillock_unlock_time" />", the line is missing, or commented out? To verify that root's primary group is zero run the following command: grep '^root:' /etc/passwd | cut -d : -f 4 The command should return: 0 Is it the case that root has a primary gid not equal to zero? To ensure write permissions are disabled for group and other for each element in root's path, run the following command: # ls -ld DIR Is it the case that group or other write permissions exist? Verify that Ubuntu 22.04 's INACTIVE conforms to site policy (no more than 30 days) with the following command: $ sudo awk -F: '$7 > 30 {print $1 " " $7}' /etc/shadow Is it the case that the value of INACTIVE is greater than the expected value or is -1? Run the following command to ensure the TMOUT value is configured for all users on the system: $ sudo grep TMOUT /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh The output should return the following: TMOUT= readonly TMOUT export TMOUT Is it the case that the TMOUT value is not configured, is set to 0, or is not less than or equal to the expected setting? Verify the umask setting is configured correctly in the /etc/bash.bashrc file with the following command: $ sudo grep "umask" /etc/bash.bashrc umask Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? Verify Ubuntu 22.04 defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command: # grep -i umask /etc/login.defs UMASK Is it the case that the value for the "UMASK" parameter is not "<sub idref="var_accounts_user_umask" />", or the "UMASK" parameter is missing or is commented out? Verify the umask setting is configured correctly in the /etc/profile file or scripts within /etc/profile.d directory with the following command: $ grep "umask" /etc/profile* umask Is it the case that the value for the "umask" parameter is not "<sub idref="var_accounts_user_umask" />", or the "umask" parameter is missing or is commented out? To verify the local initialization files of all local interactive users are group- owned by the appropriate user, inspect the primary group of the respective users in /etc/passwd and verify all initialization files under the respective users home directory. Check the group owner of all local interactive users initialization files. Is it the case that they are not? To verify all local initialization files for interactive users are owned by the primary user, run the following command: $ sudo ls -al /home/USER/.* The user initialization files should be owned by USER. Is it the case that they are not? Verify the assigned home directories of all interactive users on the system exist with the following command: $ sudo pwck -r user 'mailnull': directory 'var/spool/mqueue' does not exist The output should not return any interactive users. Is it the case that users home directory does not exist? To find the location of the AIDE database file, run the following command: $ sudo ls -l DBDIR/database_file_name Is it the case that there is no database file? Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: # sudo cat /etc/aide/aide.conf | grep /usr/sbin/au /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 If AIDE is configured properly to protect the integrity of the audit tools, all lines listed above will be returned from the command. If one or more lines are missing, this is a finding. Is it the case that integrity checks of the audit tools are missing or incomplete? Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator when anomalies in the operation of any security functions are discovered with the following command: # grep SILENTREPORTS /etc/default/aide SILENTREPORTS=no If SILENTREPORTS is commented out, this is a finding. If SILENTREPORTS is set to "yes", this is a finding. If SILENTREPORTS is not set to "no", this is a finding. Is it the case that silentreports is enabled in aide default configuration, or is missing? Verify the operating system routinely checks the baseline configuration for unauthorized changes. To determine that periodic AIDE execution has been scheduled, run the following command: $ grep aide /etc/crontab The output should return something similar to the following: 05 4 * * * root /usr/bin/aide --config /etc/aide/aide.conf --check NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. Is it the case that AIDE is not configured to scan periodically? Run the following command to determine the current status of the apparmor service: $ sudo systemctl is-active apparmor If the service is running, it should return the following: active Is it the case that it is not? To determine if the system is configured to audit calls to the chmod system call, run the following command: $ sudo grep "chmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the chown system call, run the following command: $ sudo grep "chown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmod system call, run the following command: $ sudo grep "fchmod" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchmodat system call, run the following command: $ sudo grep "fchmodat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchown system call, run the following command: $ sudo grep "fchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fchownat system call, run the following command: $ sudo grep "fchownat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fremovexattr system call, run the following command: $ sudo grep "fremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the fsetxattr system call, run the following command: $ sudo grep "fsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lchown system call, run the following command: $ sudo grep "lchown" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lremovexattr system call, run the following command: $ sudo grep "lremovexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the lsetxattr system call, run the following command: $ sudo grep "lsetxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the removexattr system call, run the following command: $ sudo grep "removexattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the setxattr system call, run the following command: $ sudo grep "setxattr" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Verify that Ubuntu 22.04 is configured to audit the execution of the "chacl" command with the following command: $ sudo auditctl -l | grep chacl -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "chcon" command with the following command: $ sudo auditctl -l | grep chcon -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "setfacl" command with the following command: $ sudo auditctl -l | grep setfacl -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod Is it the case that the command does not return a line, or the line is commented out? To determine if the system is configured to audit calls to the rename system call, run the following command: $ sudo grep "rename" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the renameat system call, run the following command: $ sudo grep "renameat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the rmdir system call, run the following command: $ sudo grep "rmdir" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlink system call, run the following command: $ sudo grep "unlink" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the unlinkat system call, run the following command: $ sudo grep "unlinkat" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Verify the audit system prevents unauthorized changes with the following command: $ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 -e 2 Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the end of "/etc/audit/audit.rules"? To determine if the system is configured to audit calls to the delete_module system call, run the following command: $ sudo grep "delete_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the finit_module system call, run the following command: $ sudo grep "finit_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the init_module system call, run the following command: $ sudo grep "init_module" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Verify Ubuntu 22.04 generates audit records for all events that affect "" with the following command: $ sudo auditctl -l | grep -w -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/log/faillog" with the following command: $ sudo auditctl -l | grep /var/log/faillog -w /var/log/faillog -p wa -k logins Is it the case that there is no output? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/log/lastlog" with the following command: $ sudo auditctl -l | grep /var/log/lastlog -w /var/log/lastlog -p wa -k logins Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/apparmor" with the following command: $ sudo auditctl -l | grep /etc/apparmor -w /etc/apparmor -p wa -k MAC-policy Is it the case that the system is not configured to audit attempts to change files within the /etc/apparmor directory? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/apparmor.d" with the following command: $ sudo auditctl -l | grep /etc/apparmor.d -w /etc/apparmor.d -p wa -k MAC-policy Is it the case that the system is not configured to audit attempts to change files within the /etc/apparmor.d directory? To determine if the system is configured to audit calls to the mount system call, run the following command: $ sudo grep "mount" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit changes to its network configuration, run the following command: auditctl -l | grep -E '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/networks|/etc/network/)' If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). Is it the case that the system is not configured to audit changes of the network configuration? To verify that auditing of privileged command use is configured, run the following command to search privileged commands in relevant partitions and check if they are covered by auditd rules: FILTER_NODEV=$(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) PARTITIONS=$(findmnt -n -l -k -it $FILTER_NODEV | grep -Pv "noexec|nosuid" | awk '{ print $1 }') for PARTITION in $PARTITIONS; do for PRIV_CMD in $(find "${PARTITION}" -xdev -perm /6000 -type f 2>/dev/null); do grep -qr "${PRIV_CMD}" /etc/audit/rules.d /etc/audit/audit.rules && printf "OK: ${PRIV_CMD}\n" || printf "WARNING - rule not found for: ${PRIV_CMD}\n" done done The output should not contain any WARNING. Is it the case that any setuid or setgid programs doesn't have a line in the audit rules? To verify that execution of the command is being audited, run the following command: sudo auditctl -l | grep apparmor_parser The output should return something similar to: -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged Is it the case that ? Verify that Ubuntu 22.04 is configured to audit the execution of the "chage" command with the following command: $ sudo auditctl -l | grep chage -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage Is it the case that the command does not return a line, or the line is commented out? To verify that auditing of privileged command use is configured, run the following command: $ sudo grep chfn /etc/audit/audit.rules /etc/audit/rules.d/* It should return a relevant line in the audit rules. Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "chsh" command with the following command: $ sudo auditctl -l | grep chsh -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "crontab" command with the following command: $ sudo auditctl -l | grep crontab -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab Is it the case that the command does not return a line, or the line is commented out? To verify that auditing of privileged command use is configured, run the following command: $ sudo auditctl -l | grep fdisk -w /sbin/fdisk -p x -k fdisk If the command does not return a line, or the line is commented out, this is a finding. Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "gpasswd" command with the following command: $ sudo auditctl -l | grep gpasswd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "kmod" command with the following command: $ sudo auditctl -l | grep kmod -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-kmod Is it the case that the command does not return a line, or the line is commented out? To verify that auditing of privileged command use is configured, run the following command: sudo auditctl -l | grep -w '/sbin/modprobe' -w /sbin/modprobe -p x -k modules It should return a relevant line in the audit rules. Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "mount" command with the following command: $ sudo auditctl -l | grep mount -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "newgrp" command with the following command: $ sudo auditctl -l | grep newgrp -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "pam_timestamp_check" command with the following command: $ sudo auditctl -l | grep pam_timestamp_check -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "passwd" command with the following command: $ sudo auditctl -l | grep passwd -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "ssh-agent" command with the following command: $ sudo auditctl -l | grep ssh-agent -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "ssh-keysign" command with the following command: $ sudo auditctl -l | grep ssh-keysign -a always,exit -F path=/usr/lib/openssh/ssh-keysignssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "su" command with the following command: $ sudo auditctl -l | grep su -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-su Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "sudo" command with the following command: $ sudo auditctl -l | grep sudo -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "sudoedit" command with the following command: $ sudo auditctl -l | grep sudoedit -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "umount" command with the following command: $ sudo auditctl -l | grep umount -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-umount Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "unix_update" command with the following command: $ sudo auditctl -l | grep unix_update -a always,exit -F path=/usr/bin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix_update Is it the case that the command does not return a line, or the line is commented out? Verify that Ubuntu 22.04 is configured to audit the execution of the "usermod" command with the following command: $ sudo auditctl -l | grep usermod -a always,exit -F path=/usr/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/log/btmp" with the following command: $ sudo auditctl -l | grep /var/log/btmp -w /var/log/btmp -p wa -k session Is it the case that Audit rule is not present? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/run/utmp" with the following command: $ sudo auditctl -l | grep /var/run/utmp -w /var/run/utmp -p wa -k session Is it the case that Audit rule is not present? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/log/wtmp" with the following command: $ sudo auditctl -l | grep /var/log/wtmp -w /var/log/wtmp -p wa -k session Is it the case that Audit rule is not present? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/sudoers" with the following command: $ sudo auditctl -l | grep /etc/sudoers -w /etc/sudoers -p wa -k actions Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/sudoers.d/" with the following command: $ sudo auditctl -l | grep /etc/sudoers.d/ -w /etc/sudoers.d/ -p wa -k actions Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 audits execution as another user. Check if Ubuntu 22.04 is configured to audit the execution of the "execve" system call using the following command: $ sudo grep execve /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S execve -C euid!=uid -F auid!=unset -k user_emulation -a always,exit -F arch=b64 -S execve -C euid!=uid -F auid!=unset-k user_emulation Is it the case that the command does not return all lines, or the lines are commented out? Verify Ubuntu 22.04 audits the execution of privileged functions. Check if Ubuntu 22.04 is configured to audit the execution of the "execve" system call using the following command: $ sudo grep execve /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid Is it the case that the command does not return all lines, or the lines are commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/sudoers" with the following command: $ sudo auditctl -l | grep /etc/sudoers -w /etc/sudoers -p wa -k actions Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/sudoers.d/" with the following command: $ sudo auditctl -l | grep /etc/sudoers.d/ -w /etc/sudoers.d/ -p wa -k actions Is it the case that there is not output? To determine if the system is configured to audit calls to the adjtimex system call, run the following command: $ sudo grep "adjtimex" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the clock_settime system call, run the following command: $ sudo grep "clock_settime" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? To determine if the system is configured to audit calls to the settimeofday system call, run the following command: $ sudo grep "settimeofday" /etc/audit/audit.* If the system is configured to audit this activity, it will return a line. Is it the case that no line is returned? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/localtime" with the following command: $ sudo auditctl -l | grep /etc/localtime -w /etc/localtime -p wa -k audit_time_rules Is it the case that the system is not configured to audit time changes? Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the creat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r creat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep creat /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the ftruncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r ftruncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep ftruncate /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the open system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r open /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep open /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r open_by_handle_at /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep open_by_handle_at /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the openat system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r openat /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep openat /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates an audit record for unsuccessful attempts to use the truncate system call. If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command: $ sudo grep -r truncate /etc/audit/rules.d If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command: $ sudo grep truncate /etc/audit/audit.rules The output should be the following: -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/group" with the following command: $ sudo auditctl -l | grep /etc/group -w /etc/group -p wa -k audit_rules_usergroup_modification Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/gshadow" with the following command: $ sudo auditctl -l | grep /etc/gshadow -w /etc/gshadow -p wa -k audit_rules_usergroup_modification Is it the case that the system is not configured to audit account changes? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/group" with the following command: $ sudo auditctl -l | grep /etc/group -w /etc/group -p wa -k audit_rules_usergroup_modification Is it the case that ? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/security/opasswd" with the following command: $ sudo auditctl -l | grep /etc/security/opasswd -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/pam.conf" with the following command: $ sudo auditctl -l | grep /etc/pam.conf -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification Is it the case that ? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/pam.conf" with the following command: $ sudo auditctl -l | grep /etc/pam.conf -w /etc/pam.conf -p wa -k audit_rules_usergroup_modification Is it the case that ? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | grep /etc/passwd -w /etc/passwd -p wa -k audit_rules_usergroup_modification Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/etc/shadow" with the following command: $ sudo auditctl -l | grep /etc/shadow -w /etc/shadow -p wa -k audit_rules_usergroup_modification Is it the case that command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/log/journal" with the following command: $ sudo auditctl -l | grep /var/log/journal -w /var/log/journal -p wa -k systemd_journal Is it the case that the command does not return a line, or the line is commented out? Verify Ubuntu 22.04 generates audit records for all events that affect "/var/log/sudo.log" with the following command: $ sudo auditctl -l | grep /var/log/sudo.log -w /var/log/sudo.log -p wa -k maintenance Is it the case that Audit rule is not present? Check that the records are being offloaded to a remote server with the following command: $ sudo grep -i active /etc/audisp/plugins.d/au-remote.conf The output should return: active = yes To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audit/audisp-remote.conf The output should return something similar to remote_server = Is it the case that audispd is not sending logs to a remote system? To verify whether audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: $ sudo grep -i remote_server /etc/audit/audisp-remote.conf The output should return something similar to where REMOTE_SYSTEM is an IP address or hostname: remote_server = REMOTE_SYSTEM Determine which partition the audit records are being written to with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to with the following command and verify whether it is sufficiently large: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit Is it the case that audispd is not sending logs to a remote system and the local partition has inadequate space? Verify Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs. Check that Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs with the following command: $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. Is it the case that there is no evidence of appropriate action? Verify Ubuntu 22.04 takes the appropriate action when the audit storage volume is full. Check that Ubuntu 22.04 takes the appropriate action when the audit storage volume is full with the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. Is it the case that there is no evidence of appropriate action? Verify that Ubuntu 22.04 is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct = Is it the case that the value of the "action_mail_acct" keyword is not set to "<sub idref="var_auditd_action_mail_acct" />" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure? Verify that Ubuntu 22.04 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = single If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. Is it the case that there is no evidence that real-time alerts are configured on the system? Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf max_log_file = 6 Is it the case that the system audit data threshold has not been properly configured? Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full. Check which action Ubuntu 22.04 takes when the audit storage volume is full with the following command: $ sudo grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out? Verify Ubuntu 22.04 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left_action /etc/audit/auditd.conf space_left_action = If the value of the "space_left_action" is not set to "", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. Is it the case that there is no evidence that real-time alerts are configured on the system? Verify Ubuntu 22.04 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left /etc/audit/auditd.conf space_left = % Is it the case that the value of the "space_left" keyword is not set to <sub idref="var_auditd_space_left_percentage" />% of the storage volume allocated to audit logs, or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If the "space_left" value is not configured to the correct value? Verify there is a script that offloads audit data and that script runs weekly. Check if there is a script in the "/etc/cron.weekly" directory that offloads audit data: # sudo ls /etc/cron.weekly audit-offload Check if the script inside the file does offloading of audit logs to external media. If the script file does not exist or does not offload audit logs, this is a finding. Is it the case that Cron job has not been configured to offload audit logs to external media? Run the following command and verify no results are returned: $ grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue Is it the case that any results are returned? To check if the system login banner is compliant, run the following command: $ cat /etc/issue.net Is it the case that it does not display the required banner? Run the following command and verify no results are returned: $ grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net Is it the case that any results are returned? Run the following command and verify no results are returned: $ grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd Is it the case that any results are returned? Verify the NX (no-execution) bit flag is set on the system. Check that the no-execution bit flag is set with the following commands: $ sudo dmesg | grep NX [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: $ sudo grep flags /proc/cpuinfo flags : fpu vme de pse tsc ms nx rdtscp lm constant_ts The output should contain the "nx" flag. Is it the case that NX is disabled? Run the following command and verify remote servers are configured properly: # grep -E "^(server|pool)" /etc/chrony/chrony.conf Is it the case that a remote time server is not configured? Verify Ubuntu 22.04 is securely comparing internal information system clocks at a regular interval with an NTP server with the following command: $ sudo grep maxpoll /etc/ntp.conf /etc/chrony/chrony.conf /etc/chrony/conf.d/ server [ntp.server.name] iburst maxpoll . Is it the case that "maxpoll" has not been set to the value of "<sub idref="var_time_service_set_maxpoll" />", is commented out, or is missing? Run the following command and verify that user is set to _chrony in /etc/chrony/chrony.conf or the user parameter is absent: # grep "^user" /etc/chrony/chrony.conf user _chrony Is it the case that chronyd is not running under chrony user account? Verify the operating system synchronizes internal system clocks to the authoritative time source when the time difference is greater than one second. Check the value of "makestep" by running the following command: $ sudo grep makestep /etc/chrony/chrony.conf makestep 1 -1 If it is not set to the above value, edit the /etc/chrony/chrony.conf file and add: makestep 1 -1 Restart the chrony service: $ sudo systemctl restart chrony.service Is it the case that ? Verify Ubuntu 22.04 removes all software components after updated versions have been installed. $ grep -i remove-unused /etc/apt/apt.conf The output should return something similar to: Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Is it the case that '::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not enabled or configured correctly'? To ensure a login warning banner is enabled, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/* If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: $ grep banner-message-enable /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. Is it the case that it is not? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling automount If properly configured, the output for automount should be false. To ensure that users cannot enable automount in GNOME3, run the following: $ grep 'automount' /etc/dconf/db/local.d/locks/* If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount Is it the case that GNOME automounting is not disabled? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling automount-open If properly configured, the output for automount-openshould be false. To ensure that users cannot enable automount opening in GNOME3, run the following: $ grep 'automount-open' /etc/dconf/db/local.d/locks/* If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open Is it the case that GNOME automounting is not disabled? These settings can be verified by running the following: $ gsettings get org.gnome.desktop.media-handling autorun-never If properly configured, the output for autorun-nevershould be true. To ensure that users cannot enable autorun in GNOME3, run the following: $ grep 'autorun-never' /etc/dconf/db/local.d/locks/* If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never Is it the case that GNOME autorun is not disabled? To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: $ gsettings get org.gnome.settings-daemon.plugins.media-keys logout $ grep logout /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/settings-daemon/plugins/media-keys/logout Is it the case that GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed? To ensure the user list is disabled, run the following command: $ grep disable-user-list /etc/dconf/db/gdm.d/* The output should be true. To ensure that users cannot enable displaying the user list, run the following: $ grep disable-user-list /etc/dconf/db/gdm.d/locks/* If properly configured, the output should be /org/gnome/login-screen/disable-user-list Is it the case that disable-user-list has not been configured or is not disabled? To ensure the login warning banner text is properly set, run the following: $ grep banner-message-text /etc/gdm3/greeter.dconf-defaults If properly configured, the proper banner text will appear. Is it the case that it does not? To check the current idle time-out value, run the following command: $ gsettings get org.gnome.desktop.session idle-delay If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: $ grep idle-delay /etc/dconf/db/local.d/locks/* If properly configured, the output should be /org/gnome/desktop/session/idle-delay Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />? To check that the screen locks immediately when activated, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-delay If properly configured, the output should be 'uint32 '. Is it the case that the screensaver lock delay is missing, or is set to a value greater than <sub idref="var_screensaver_lock_delay" />? To check the status of the idle screen lock activation, run the following command: $ gsettings get org.gnome.desktop.screensaver lock-enabled If properly configured, the output should be true. To ensure that users cannot change how long until the screensaver locks, run the following: $ grep lock-enabled /etc/dconf/db/local.d/locks/* If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly? Verify the system-wide shared library directories are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding. Is it the case that any system-wide shared library directory is returned and is not group-owned by a required system account? System commands are stored in the following directories: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin For each of these directories, run the following command to find files not owned by root group: $ sudo find -L $DIR ! -group root -type d \; Is it the case that any of these directories are not owned by root group? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/local/bin /usr/local/sbin /usr/sbin For each of these directories, run the following command to find files not owned by root: $ sudo find -L DIR/ ! -user root -type d -exec chown root {} \; Is it the case that any system executables directories are found to not be owned by root? Verify the system-wide shared library directories are owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; Is it the case that any system-wide shared library directory is not owned by root? System executables are stored in the following directories by default: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin To find system executables directories that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: $ sudo find -L DIR -perm /022 -type d Is it the case that any of these files are group-writable or world-writable? To find world-writable directories that lack the sticky bit, run the following command: $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null fixtext: |- Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: $ chmod a+t [World-Writable Directory] srg_requirement: A sticky bit must be set on all Ubuntu 22.04 public directories to prevent unauthorized and unintended information transferred via shared system resources. Is it the case that any world-writable directories are missing the sticky bit? Verify the audit log directories have a correct mode or less permissive mode. Find the location of the audit logs: $ sudo grep "^log_file" /etc/audit/auditd.conf Find the group that owns audit logs: $ sudo grep "^log_group" /etc/audit/auditd.conf Run the following command to check the mode of the system audit logs: $ sudo stat -c "%a %n" [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit". If the log_group is "root" or is not set, the correct permissions are 0700, otherwise they are 0750. Is it the case that audit logs have a more permissive mode? To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check that the ctrl-alt-del.target is masked and not active with the following command: sudo systemctl status ctrl-alt-del.target The output should indicate that the target is masked and not active. It might resemble following output: ctrl-alt-del.target Loaded: masked (/dev/null; bad) Active: inactive (dead) Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed? To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command: $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? Verify that core dumps are disabled for all users, run the following command: $ grep core /etc/security/limits.conf * hard core 0 Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"? Check the system partitions to determine if they are encrypted with the following command: blkid Output will be similar to: /dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2 " TYPE="crypto_LUKS" /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2 " TYPE="crypto_LUKS" The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. Is it the case that partitions do not have a type of crypto_LUKS? To determine the status and frequency of logrotate, run the following command: $ sudo grep logrotate /var/log/cron* If logrotate is configured properly, output should include references to /etc/cron.daily. Is it the case that logrotate is not configured to run daily? Run the following command to check if the group exists: grep /etc/group The output should contain the following line: :x: Is it the case that group exists and has no user members? Run the following command to verify that the password is set for root: # passwd -S root | awk '$2 ~ /^P/ {print "User: \"" $1 "\" Password is status: " $2}' Verify the output is: User: "root" Password is status: P Note: - P - Password is set Is it the case that root password is not set? To verify that the system real-time clock is set to UTC or GMT, run the following command: # timedatectl status | grep -i "time zone" # Time zone: UTC (UTC, +0000) If "Timezone" is not set to UTC, this is a finding. Fix Text: Configure the SUSE operating system is configured to use UTC. To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT". # sudo timedatectl set-timezone [ZONE] Is it the case that the system real-time clock is not configured to use UTC as its time base? Run the following commands and verify no results are returned: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group awk -F: '($4 == "") { print }' /etc/passwd Is it the case that shadow group is not empty? Configure the sudo group with only members requiring access to security functions. To remove a user from the sudo group, run: $ sudo gpasswd -d username sudo Is it the case that sudo group contains users not needing access to security functions? The file /etc/at.allow should exist. This can be checked by running the following command: stat /etc/at.allow and the output should list the file. Is it the case that the file /etc/at.allow does not exist? The file /etc/cron.allow should exist. This can be checked by running the following command: stat /etc/cron.allow and the output should list the file. Is it the case that the file /etc/cron.allow does not exist? The file /etc/cron.deny should not exist. This can be checked by running the following stat /etc/cron.deny and the output should be stat: cannot stat `/etc/cron.deny': No such file or directory Is it the case that the file /etc/cron.deny exists? Check group owners of the system audit logs. First, determine where the audit log file is located. $ sudo grep -iw ^log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log The log_file option specifies the audit log file path. If the log_file option isn't defined, check all files within /var/log/audit directory. Then, determine the audit log group by running the following command: $ sudo grep -P '^[ ]*log_group[ ]+=.*$' /etc/audit/auditd.conf Then, check that the audit log file is owned by the correct group. Run the following command to display the owner of the audit log file: $ sudo stat -c "%n %G" log_file The audit log file must be owned by the log_group or by root if the log_group is not specified. Is it the case that audit log files are owned by incorrect group? To check the group ownership of /etc/at.allow, run the command: $ ls -lL /etc/at.allow If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/at.allow does not have a group owner of root ? To check the group ownership of /etc/at.deny, run the command: $ ls -lL /etc/at.deny If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/at.deny does not have a group owner of root ? To check the group ownership of /etc/group-, run the command: $ ls -lL /etc/group- If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/group- does not have a group owner of root ? To check the group ownership of /etc/gshadow-, run the command: $ ls -lL /etc/gshadow- If properly configured, the output should indicate the following group-owner: shadow Is it the case that /etc/gshadow- does not have a group owner of shadow ? To check the group ownership of /etc/passwd-, run the command: $ ls -lL /etc/passwd- If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/passwd- does not have a group owner of root ? To check the group ownership of /etc/shadow-, run the command: $ ls -lL /etc/shadow- If properly configured, the output should indicate the following group-owner: shadow Is it the case that /etc/shadow- does not have a group owner of shadow ? To check the group ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following group-owner: crontab Is it the case that /etc/cron.allow does not have a group owner of crontab ? To check the group ownership of /etc/cron.d, run the command: $ ls -lL /etc/cron.d If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.d does not have a group owner of root ? To check the group ownership of /etc/cron.daily, run the command: $ ls -lL /etc/cron.daily If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.daily does not have a group owner of root ? To check the group ownership of /etc/cron.hourly, run the command: $ ls -lL /etc/cron.hourly If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.hourly does not have a group owner of root ? To check the group ownership of /etc/cron.monthly, run the command: $ ls -lL /etc/cron.monthly If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.monthly does not have a group owner of root ? To check the group ownership of /etc/cron.weekly, run the command: $ ls -lL /etc/cron.weekly If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/cron.weekly does not have a group owner of root ? To check the group ownership of /etc/crontab, run the command: $ ls -lL /etc/crontab If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/crontab does not have a group owner of root ? To check the group ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/group does not have a group owner of root ? To check the group ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following group-owner: shadow Is it the case that /etc/gshadow does not have a group owner of shadow ? To check the group ownership of /etc/issue, run the command: $ ls -lL /etc/issue If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/issue does not have a group owner of root ? To check the group ownership of /etc/issue.net, run the command: $ ls -lL /etc/issue.net If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/issue.net does not have a group owner of root ? To check the group ownership of /etc/motd, run the command: $ ls -lL /etc/motd If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/motd does not have a group owner of root ? To check the group ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/passwd does not have a group owner of root ? To check the group ownership of /etc/security/opasswd, run the command: $ ls -lL /etc/security/opasswd If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/security/opasswd does not have a group owner of root ? To check the group ownership of /etc/security/opasswd.old, run the command: $ ls -lL /etc/security/opasswd.old If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/security/opasswd.old does not have a group owner of root ? To check the group ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following group-owner: shadow Is it the case that /etc/shadow does not have a group owner of shadow ? To check the group ownership of /etc/shells, run the command: $ ls -lL /etc/shells If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/shells does not have a group owner of root ? To check the group ownership of /etc/ssh/sshd_config, run the command: $ ls -lL /etc/ssh/sshd_config If properly configured, the output should indicate the following group-owner: root Is it the case that /etc/ssh/sshd_config does not have a group owner of root ? To check the group ownership of /var/log/journal/.*/system.journal, run the command: $ ls -lL /var/log/journal/.*/system.journal If properly configured, the output should indicate the following group-owner: systemd-journal Is it the case that /var/log/journal/.*/system.journal does not have a group owner of systemd-journal ? To check the group ownership of /var/log, run the command: $ ls -lL /var/log If properly configured, the output should indicate the following group-owner: syslog Is it the case that /var/log does not have a group owner of syslog ? To check the group ownership of /var/log/auth.log, run the command: $ ls -lL /var/log/auth.log If properly configured, the output should indicate the following group-owner: adm or root Is it the case that /var/log/auth.log does not have a group owner of adm or root ? To check the group ownership of /var/log/cloud-init.log*, run the command: $ ls -lL /var/log/cloud-init.log* If properly configured, the output should indicate the following group-owner: adm or root Is it the case that /var/log/cloud-init.log* does not have a group owner of adm or root ? To check the group ownership of /var/log/*.journal(~), run the command: $ ls -lL /var/log/*.journal(~) If properly configured, the output should indicate the following group-owner: systemd-journal or root Is it the case that /var/log/*.journal(~) does not have a group owner of systemd-journal or root ? To check the group ownership of /var/log/lastlog, run the command: $ ls -lL /var/log/lastlog If properly configured, the output should indicate the following group-owner: utmp or root Is it the case that /var/log/lastlog does not have a group owner of utmp or root ? To check the group ownership of /var/log/localmessages*, run the command: $ ls -lL /var/log/localmessages* If properly configured, the output should indicate the following group-owner: adm or root Is it the case that /var/log/localmessages* does not have a group owner of adm or root ? To check the group ownership of /var/log/messages, run the command: $ ls -lL /var/log/messages If properly configured, the output should indicate the following group-owner: root Is it the case that /var/log/messages does not have a group owner of root ? To check the group ownership of /var/log/secure, run the command: $ ls -lL /var/log/secure If properly configured, the output should indicate the following group-owner: adm or root Is it the case that /var/log/secure does not have a group owner of adm or root ? To check the group ownership of /var/log/syslog, run the command: $ ls -lL /var/log/syslog If properly configured, the output should indicate the following group-owner: adm Is it the case that /var/log/syslog does not have a group owner of adm ? To check the group ownership of /var/log/waagent.log, run the command: $ ls -lL /var/log/waagent.log If properly configured, the output should indicate the following group-owner: adm or root Is it the case that /var/log/waagent.log does not have a group owner of adm or root ? To check the group ownership of /var/log/(b|w)tmp(.*|-*), run the command: $ ls -lL /var/log/(b|w)tmp(.*|-*) If properly configured, the output should indicate the following group-owner: utmp or root Is it the case that /var/log/(b|w)tmp(.*|-*) does not have a group owner of utmp or root ? Verify it by running the following command: $ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/augenrules root If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions of the missing entries: $ sudo chown :root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by root. Is it the case that ? To properly set the group owner of /etc/audit/, run the command: $ sudo chgrp root /etc/audit/ To properly set the group owner of /etc/audit/rules.d/, run the command: $ sudo chgrp root /etc/audit/rules.d/ Is it the case that ? To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) Is it the case that the group ownership is incorrect? Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; Is it the case that any system commands are returned and is not group-owned by a required system account? Verify the operating system has all system log files under the /var/log directory, that are not excluded, with a group owner set to root | adm, Is it the case that not all log files group-owned by root or adm? To check the group ownership of /var/log/apt/*, run the command: $ ls -lL /var/log/apt/* If properly configured, the output should indicate the following group-owner: adm or root Is it the case that /var/log/apt/* does not have a group owner of adm or root ? To check the group ownership of /var/log/gdm/*, run the command: $ ls -lL /var/log/gdm/* If properly configured, the output should indicate the following group-owner: gdm or root Is it the case that /var/log/gdm/* does not have a group owner of gdm or root ? To check the group ownership of /var/log/gdm3/*, run the command: $ ls -lL /var/log/gdm3/* If properly configured, the output should indicate the following group-owner: gdm or gdm3 or root Is it the case that /var/log/gdm3/* does not have a group owner of gdm or gdm3 or root ? To check the group ownership of /var/log/landscape/*, run the command: $ ls -lL /var/log/landscape/* If properly configured, the output should indicate the following group-owner: root or landscape Is it the case that /var/log/landscape/* does not have a group owner of root or landscape ? To check the group ownership of /var/log/sssd/*, run the command: $ ls -lL /var/log/sssd/* If properly configured, the output should indicate the following group-owner: sssd or root Is it the case that /var/log/sssd/* does not have a group owner of sssd or root ? To check the ownership of /etc/at.allow, run the command: $ ls -lL /etc/at.allow If properly configured, the output should indicate the following owner: root Is it the case that /etc/at.allow does not have an owner of root? To check the ownership of /etc/at.deny, run the command: $ ls -lL /etc/at.deny If properly configured, the output should indicate the following owner: root Is it the case that /etc/at.deny does not have an owner of root? To check the ownership of /etc/group-, run the command: $ ls -lL /etc/group- If properly configured, the output should indicate the following owner: root Is it the case that /etc/group- does not have an owner of root? To check the ownership of /etc/gshadow-, run the command: $ ls -lL /etc/gshadow- If properly configured, the output should indicate the following owner: root Is it the case that /etc/gshadow- does not have an owner of root? To check the ownership of /etc/passwd-, run the command: $ ls -lL /etc/passwd- If properly configured, the output should indicate the following owner: root Is it the case that /etc/passwd- does not have an owner of root? To check the ownership of /etc/shadow-, run the command: $ ls -lL /etc/shadow- If properly configured, the output should indicate the following owner: root Is it the case that /etc/shadow- does not have an owner of root? To check the ownership of /etc/cron.allow, run the command: $ ls -lL /etc/cron.allow If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.allow does not have an owner of root? To check the ownership of /etc/cron.d, run the command: $ ls -lL /etc/cron.d If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.d does not have an owner of root? To check the ownership of /etc/cron.daily, run the command: $ ls -lL /etc/cron.daily If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.daily does not have an owner of root? To check the ownership of /etc/cron.hourly, run the command: $ ls -lL /etc/cron.hourly If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.hourly does not have an owner of root? To check the ownership of /etc/cron.monthly, run the command: $ ls -lL /etc/cron.monthly If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.monthly does not have an owner of root? To check the ownership of /etc/cron.weekly, run the command: $ ls -lL /etc/cron.weekly If properly configured, the output should indicate the following owner: root Is it the case that /etc/cron.weekly does not have an owner of root? To check the ownership of /etc/crontab, run the command: $ ls -lL /etc/crontab If properly configured, the output should indicate the following owner: root Is it the case that /etc/crontab does not have an owner of root? To check the ownership of /etc/group, run the command: $ ls -lL /etc/group If properly configured, the output should indicate the following owner: root Is it the case that /etc/group does not have an owner of root? To check the ownership of /etc/gshadow, run the command: $ ls -lL /etc/gshadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/gshadow does not have an owner of root? To check the ownership of /etc/issue, run the command: $ ls -lL /etc/issue If properly configured, the output should indicate the following owner: root Is it the case that /etc/issue does not have an owner of root? To check the ownership of /etc/issue.net, run the command: $ ls -lL /etc/issue.net If properly configured, the output should indicate the following owner: root Is it the case that /etc/issue.net does not have an owner of root? To check the ownership of /etc/motd, run the command: $ ls -lL /etc/motd If properly configured, the output should indicate the following owner: root Is it the case that /etc/motd does not have an owner of root? To check the ownership of /etc/passwd, run the command: $ ls -lL /etc/passwd If properly configured, the output should indicate the following owner: root Is it the case that /etc/passwd does not have an owner of root? To check the ownership of /etc/security/opasswd, run the command: $ ls -lL /etc/security/opasswd If properly configured, the output should indicate the following owner: root Is it the case that /etc/security/opasswd does not have an owner of root? To check the ownership of /etc/security/opasswd.old, run the command: $ ls -lL /etc/security/opasswd.old If properly configured, the output should indicate the following owner: root Is it the case that /etc/security/opasswd.old does not have an owner of root? To check the ownership of /etc/shadow, run the command: $ ls -lL /etc/shadow If properly configured, the output should indicate the following owner: root Is it the case that /etc/shadow does not have an owner of root? To check the ownership of /etc/shells, run the command: $ ls -lL /etc/shells If properly configured, the output should indicate the following owner: root Is it the case that /etc/shells does not have an owner of root? To check the ownership of /boot/grub/grub.cfg, run the command: $ ls -lL /boot/grub/grub.cfg If properly configured, the output should indicate the following owner: root Is it the case that /boot/grub/grub.cfg does not have an owner of root? To check the ownership of /etc/ssh/sshd_config, run the command: $ ls -lL /etc/ssh/sshd_config If properly configured, the output should indicate the following owner: root Is it the case that /etc/ssh/sshd_config does not have an owner of root? To check the ownership of /var/log/journal/.*/system.journal, run the command: $ ls -lL /var/log/journal/.*/system.journal If properly configured, the output should indicate the following owner: root Is it the case that /var/log/journal/.*/system.journal does not have an owner of root? To check the ownership of /var/log, run the command: $ ls -lL /var/log If properly configured, the output should indicate the following owner: root Is it the case that /var/log does not have an owner of root? To check the ownership of /var/log/auth.log, run the command: $ ls -lL /var/log/auth.log If properly configured, the output should indicate the following owner: syslog|root Is it the case that /var/log/auth.log does not have an owner of syslog|root? To check the ownership of /var/log/cloud-init.log, run the command: $ ls -lL /var/log/cloud-init.log If properly configured, the output should indicate the following owner: syslog|root Is it the case that /var/log/cloud-init.log does not have an owner of syslog|root? To check the ownership of /var/log/*.journal(~), run the command: $ ls -lL /var/log/*.journal(~) If properly configured, the output should indicate the following owner: root Is it the case that /var/log/*.journal(~) does not have an owner of root? To check the ownership of /var/log/lastlog, run the command: $ ls -lL /var/log/lastlog If properly configured, the output should indicate the following owner: root Is it the case that /var/log/lastlog does not have an owner of root? To check the ownership of /var/log/localmessages, run the command: $ ls -lL /var/log/localmessages If properly configured, the output should indicate the following owner: syslog|root Is it the case that /var/log/localmessages does not have an owner of syslog|root? To check the ownership of /var/log/messages, run the command: $ ls -lL /var/log/messages If properly configured, the output should indicate the following owner: root Is it the case that /var/log/messages does not have an owner of root? To check the ownership of /var/log/secure, run the command: $ ls -lL /var/log/secure If properly configured, the output should indicate the following owner: syslog|root Is it the case that /var/log/secure does not have an owner of syslog|root? To check the ownership of /var/log/syslog, run the command: $ ls -lL /var/log/syslog If properly configured, the output should indicate the following owner: syslog Is it the case that /var/log/syslog does not have an owner of syslog? To check the ownership of /var/log/waagent.log, run the command: $ ls -lL /var/log/waagent.log If properly configured, the output should indicate the following owner: syslog|root Is it the case that /var/log/waagent.log does not have an owner of syslog|root? To check the ownership of /var/log/(b|w)tmp(.*|-*), run the command: $ ls -lL /var/log/(b|w)tmp(.*|-*) If properly configured, the output should indicate the following owner: root Is it the case that /var/log/(b|w)tmp(.*|-*) does not have an owner of root? Verify it by running the following command: $ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/augenrules root If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions of the missing entries: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by root. Is it the case that ? To properly set the owner of /etc/audit/, run the command: $ sudo chown root /etc/audit/ To properly set the owner of /etc/audit/rules.d/, run the command: $ sudo chown root /etc/audit/rules.d/ Is it the case that ? Verify the system commands contained in the following directories are owned by "root" with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; Is it the case that any system commands are found to not be owned by root? To verify the home directory ownership, run the following command: # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) Is it the case that the user ownership is incorrect? Verify the system-wide shared library files are owned by "root" with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; Is it the case that any system wide shared library file is not owned by root? Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: $ sudo stat -c "%n %U" /var/log/audit/audit.log Audit logs must be owned by user root. If the log_file isn't defined in /etc/audit/auditd.conf, check all files in /var/log/audit/ directory instead. Is it the case that the audit log is not owned by root? Verify the operating system has all system log files under the /var/log directory, that are not excluded, with an owner set to root | syslog, Is it the case that not all log files owned by root or syslog? To check the ownership of /var/log/apt/*, run the command: $ ls -lL /var/log/apt/* If properly configured, the output should indicate the following owner: root Is it the case that /var/log/apt/* does not have an owner of root? To check the ownership of /var/log/gdm/*, run the command: $ ls -lL /var/log/gdm/* If properly configured, the output should indicate the following owner: root Is it the case that /var/log/gdm/* does not have an owner of root? To check the ownership of /var/log/gdm3/*, run the command: $ ls -lL /var/log/gdm3/* If properly configured, the output should indicate the following owner: root Is it the case that /var/log/gdm3/* does not have an owner of root? To check the ownership of /var/log/landscape/*, run the command: $ ls -lL /var/log/landscape/* If properly configured, the output should indicate the following owner: root|landscape Is it the case that /var/log/landscape/* does not have an owner of root|landscape? To check the ownership of /var/log/sssd/*, run the command: $ ls -lL /var/log/sssd/* If properly configured, the output should indicate the following owner: sssd|root Is it the case that /var/log/sssd/* does not have an owner of sssd|root? To verify that .bash_history has a mode of 0600 or less permissive, run the following command: $ sudo find /home -type f -name '\.bash_history' -perm /0177 There should be no output. Is it the case that file is not 0600 or more permissive? To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: $ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \) There should be no output. Is it the case that they are not 0740 or more permissive? To check the permissions of /etc/at.allow, run the command: $ ls -l /etc/at.allow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/at.allow does not have unix mode -rw-r-----? To check the permissions of /etc/at.deny, run the command: $ ls -l /etc/at.deny If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/at.deny does not have unix mode -rw-r-----? Verify it by running the following command: $ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 755 /sbin/autrace 755 /sbin/auditd 755 /sbin/augenrules 755 If the command does not return all the above lines, the missing ones need to be added. Run the following command to correct the permissions of the missing entries: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissions. Is it the case that ? To check the permissions of /etc/group-, run the command: $ ls -l /etc/group- If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/group- does not have unix mode -rw-r--r--? To check the permissions of /etc/gshadow-, run the command: $ ls -l /etc/gshadow- If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/gshadow- does not have unix mode -rw-r-----? To check the permissions of /etc/passwd-, run the command: $ ls -l /etc/passwd- If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/passwd- does not have unix mode -rw-r--r--? To check the permissions of /etc/shadow-, run the command: $ ls -l /etc/shadow- If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/shadow- does not have unix mode -rw-r-----? Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; Is it the case that any system commands are found to be group-writable or world-writable? To check the permissions of /etc/cron.allow, run the command: $ ls -l /etc/cron.allow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/cron.allow does not have unix mode -rw-r-----? To check the permissions of /etc/cron.d, run the command: $ ls -l /etc/cron.d If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that /etc/cron.d does not have unix mode -rwx------? To check the permissions of /etc/cron.daily, run the command: $ ls -l /etc/cron.daily If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that /etc/cron.daily does not have unix mode -rwx------? To check the permissions of /etc/cron.hourly, run the command: $ ls -l /etc/cron.hourly If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that /etc/cron.hourly does not have unix mode -rwx------? To check the permissions of /etc/cron.monthly, run the command: $ ls -l /etc/cron.monthly If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that /etc/cron.monthly does not have unix mode -rwx------? To check the permissions of /etc/cron.weekly, run the command: $ ls -l /etc/cron.weekly If properly configured, the output should indicate the following permissions: -rwx------ Is it the case that /etc/cron.weekly does not have unix mode -rwx------? To check the permissions of /etc/crontab, run the command: $ ls -l /etc/crontab If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /etc/crontab does not have unix mode -rw-------? To check the permissions of /etc/audit/auditd.conf, run the command: $ ls -l /etc/audit/auditd.conf If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/audit/auditd.conf does not have unix mode -rw-r-----? To check the permissions of /etc/audit/audit.rules, run the command: $ ls -l /etc/audit/audit.rules If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/audit/audit.rules does not have unix mode -rw-r-----? To check the permissions of /etc/audit/rules.d/*.rules, run the command: $ ls -l /etc/audit/rules.d/*.rules If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /etc/audit/rules.d/*.rules does not have unix mode -rw-------? To check the permissions of /etc/group, run the command: $ ls -l /etc/group If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/group does not have unix mode -rw-r--r--? To check the permissions of /etc/gshadow, run the command: $ ls -l /etc/gshadow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/gshadow does not have unix mode -rw-r-----? To check the permissions of /etc/issue, run the command: $ ls -l /etc/issue If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/issue does not have unix mode -rw-r--r--? To check the permissions of /etc/issue.net, run the command: $ ls -l /etc/issue.net If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/issue.net does not have unix mode -rw-r--r--? To check the permissions of /etc/motd, run the command: $ ls -l /etc/motd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/motd does not have unix mode -rw-r--r--? To check the permissions of /etc/passwd, run the command: $ ls -l /etc/passwd If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/passwd does not have unix mode -rw-r--r--? To check the permissions of /etc/security/opasswd, run the command: $ ls -l /etc/security/opasswd If properly configured, the output should indicate the following permissions: 0600 Is it the case that /etc/security/opasswd does not have unix mode 0600? To check the permissions of /etc/security/opasswd.old, run the command: $ ls -l /etc/security/opasswd.old If properly configured, the output should indicate the following permissions: 0600 Is it the case that /etc/security/opasswd.old does not have unix mode 0600? To check the permissions of /etc/shadow, run the command: $ ls -l /etc/shadow If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /etc/shadow does not have unix mode -rw-r-----? To check the permissions of /etc/shells, run the command: $ ls -l /etc/shells If properly configured, the output should indicate the following permissions: 0644 Is it the case that /etc/shells does not have unix mode 0644? To check the permissions of /boot/grub/grub.cfg, run the command: $ sudo ls -lL /boot/grub/grub.cfg If properly configured, the output should indicate the following permissions: -rw------- Is it the case that it does not? To verify the assigned home directory of all interactive user home directories have a mode of 0750 or less permissive, run the following command: $ sudo ls -l /home Inspect the output for any directories with incorrect permissions. Is it the case that they are more permissive? Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; Is it the case that any system-wide shared library file is found to be group-writable or world-writable? To check the permissions of /etc/ssh/sshd_config, run the command: $ ls -l /etc/ssh/sshd_config If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------? To check the permissions of /etc/ssh/*_key, run the command: $ ls -l /etc/ssh/*_key If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /etc/ssh/*_key does not have unix mode -rw-------? To check the permissions of /etc/ssh/*.pub, run the command: $ ls -l /etc/ssh/*.pub If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--? To check the permissions of /var/log/journal/.*/system.journal, run the command: $ ls -l /var/log/journal/.*/system.journal If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /var/log/journal/.*/system.journal does not have unix mode -rw-r-----? To check the permissions of /boot/System.map*, run the command: $ ls -l /boot/System.map* If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /boot/System.map* does not have unix mode -rw-------? To find world-writable files, run the following command: $ sudo find / -xdev -type f -perm -002 Is it the case that there is output? The following command will locate the mount points related to local devices: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) The following command will show files which do not belong to a valid group: $ sudo find MOUNTPOINT -xdev -nogroup 2>/dev/null Replace MOUNTPOINT by the mount points listed by the fist command. No files without a valid group should be located. Is it the case that there is output? To check the permissions of /var/log, run the command: $ ls -l /var/log If properly configured, the output should indicate the following permissions: drwxr-xr-x Is it the case that /var/log does not have unix mode drwxr-xr-x? To check the permissions of /var/log/apt/.*, run the command: $ ls -l /var/log/apt/.* If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /var/log/apt/.* does not have unix mode -rw-r--r--? Run the following command to check the mode of the system audit logs: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file=/var/log/audit/audit.log $ sudo stat -c "%n %a" /var/log/audit/* $ sudo ls -l /var/log/audit Audit logs must be mode 0640 or less permissive. Is it the case that any permissions are more permissive? To check the permissions of /var/log/auth.log, run the command: $ ls -l /var/log/auth.log If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /var/log/auth.log does not have unix mode -rw-r-----? To check the permissions of /var/log/cloud-init.log, run the command: $ ls -l /var/log/cloud-init.log If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /var/log/cloud-init.log does not have unix mode -rw-r--r--? To check the permissions of /var/log/gdm/*, run the command: $ ls -l /var/log/gdm/* If properly configured, the output should indicate the following permissions: -rw-rw---- Is it the case that /var/log/gdm/* does not have unix mode -rw-rw----? To check the permissions of /var/log/gdm3/*, run the command: $ ls -l /var/log/gdm3/* If properly configured, the output should indicate the following permissions: -rw-rw---- Is it the case that /var/log/gdm3/* does not have unix mode -rw-rw----? To check the permissions of /var/log/lastlog, run the command: $ ls -l /var/log/lastlog If properly configured, the output should indicate the following permissions: -rw-rw-r-- Is it the case that /var/log/lastlog does not have unix mode -rw-rw-r--? To check the permissions of /var/log/localmessages, run the command: $ ls -l /var/log/localmessages If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /var/log/localmessages does not have unix mode -rw-r--r--? To check the permissions of /var/log/messages, run the command: $ ls -l /var/log/messages If properly configured, the output should indicate the following permissions: -rw------- Is it the case that /var/log/messages does not have unix mode -rw-------? To check the permissions of /var/log/secure, run the command: $ ls -l /var/log/secure If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /var/log/secure does not have unix mode -rw-r-----? To check the permissions of /var/log/sssd/*, run the command: $ ls -l /var/log/sssd/* If properly configured, the output should indicate the following permissions: -rw-rw---- Is it the case that /var/log/sssd/* does not have unix mode -rw-rw----? To check the permissions of /var/log/syslog, run the command: $ ls -l /var/log/syslog If properly configured, the output should indicate the following permissions: -rw-r----- Is it the case that /var/log/syslog does not have unix mode -rw-r-----? To check the permissions of /var/log/waagent.log, run the command: $ ls -l /var/log/waagent.log If properly configured, the output should indicate the following permissions: -rw-r--r-- Is it the case that /var/log/waagent.log does not have unix mode -rw-r--r--? To check the permissions of /var/log/(b|w)tmp(.*|-*), run the command: $ ls -l /var/log/(b|w)tmp(.*|-*) If properly configured, the output should indicate the following permissions: -rw-rw-r-- Is it the case that /var/log/(b|w)tmp(.*|-*) does not have unix mode -rw-rw-r--? To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: $ sudo pwck -qr There should be no output. Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group? To ensure that XDMCP is disabled in /etc/gdm3/custom.conf, run the following command: grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm3/custom.conf The output should return the following: [xdmcp] Enable=false Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm3/custom.conf gdm configuration file? Run the following command to check for duplicate group names: Check that the operating system contains no duplicate Group ID (GID) for interactive users by running the following command: cut -d : -f 3 /etc/group | uniq -d If output is produced, this is a finding. Configure the operating system to contain no duplicate GIDs. Edit the file "/etc/group" and provide each group that has a duplicate GID with a unique GID. Is it the case that the system has duplicate group ids? Run the following command to check for duplicate group names: Check that the operating system contains no duplicate group names for interactive users by running the following command: cut -d : -f 1 /etc/group | uniq -d If output is produced, this is a finding. Configure the operating system to contain no duplicate names for groups. Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name. Is it the case that has duplicate group names? Verify that only the "root" group has a GID "0" assignment with the following command: $ awk -F: '$3 == 0 {print $1}' /etc/group root Is it the case that any groups other than "root" have a GID of "0"? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes audit=1, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub If this option is set to true, then check that a line is output by the following command: $ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub If the recovery is disabled, check the line with $ sudo grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub.Moreover, current Grub config file grub.cfg must be checked. The file can be found either in /boot/grub in case of legacy BIOS systems, or in /boot/grub in case of UEFI systems. If they include audit=1, then the parameter is configured at boot time. $ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'audit=1' Fill in GRUB_CFG_FILE_PATH based on information above. This command should not return any output. Is it the case that auditing is not enabled at boot time? Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes audit_backlog_limit=, then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub If this option is set to true, then check that a line is output by the following command: $ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit_backlog_limit=.*' /etc/default/grub If the recovery is disabled, check the line with $ sudo grep 'GRUB_CMDLINE_LINUX.*audit_backlog_limit=.*' /etc/default/grub.Moreover, current Grub config file grub.cfg must be checked. The file can be found either in /boot/grub in case of legacy BIOS systems, or in /boot/grub in case of UEFI systems. If they include audit_backlog_limit=, then the parameter is configured at boot time. $ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'audit_backlog_limit=' Fill in GRUB_CFG_FILE_PATH based on information above. This command should not return any output. Is it the case that audit backlog limit is not configured? First, check whether the password is defined in either /boot/grub/user.cfg or /boot/grub/grub.cfg. Run the following commands: $ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' /boot/grub/user.cfg $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' /boot/grub/grub.cfg Second, check that a superuser is defined in /boot/grub/grub.cfg. $ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' /boot/grub/grub.cfg Is it the case that it does not produce any output? To verify the boot loader superuser password has been set, run the following command: $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/grub/user.cfg The output should be similar to: GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 Is it the case that no password is set? Run the following command to verify that the MTA is not listening on any non-loopback address (127.0.0.1 or ::1). # ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s' Nothing should be returned Is it the case that MTA is listening on any non-loopback address? Check that Ubuntu 22.04 has the packages for smart card support installed. Run the following command to determine if the libpam-pkcs11 package is installed: $ dpkg -l libpam-pkcs11 Is it the case that smartcard software is not installed? Run the following command to determine open ports: # ss -6tuln Run the following command to determine firewall rules: # ip6tables -L INPUT -v -n For each port identified in the audit which does not have a firewall rule, add rule for accepting or denying inbound connections # ip6tables -A INPUT -p \ --dport \ -m state --state NEW -j ACCEPT Is it the case that open ports are denied connection? Run the following command to determine open ports: # ss -4tuln Run the following command to determine firewall rules: # iptables -L INPUT -v -n For each port identified in the audit which does not have a firewall rule, add rule for accepting or denying inbound connections # iptables -A INPUT -p --dport -m state --state NEW -j ACCEPT Is it the case that open ports are denied connection? To verify /proc/sys/crypto/fips_enabled exists, run the following command: cat /proc/sys/crypto/fips_enabled The output should be: 1 Is it the case that the command 'cat /proc/sys/crypto/fips_enabled' returns nothing or '0' or the file does not exist? Storing logs with compression can help avoid filling the system disk. Run the following command to verify that journald is compressing logs. grep "^\sCompress" /etc/systemd/journald.conf and it should return Compress=yes Is it the case that is commented out or not configured correctly? Run the following command to verify that journald is not forwarding logs to syslog. grep "^\sForwardToSyslog" /etc/systemd/journald.conf and it should return ForwardToSyslog=no Is it the case that is commented out or not configured correctly? Storing logs with persistent storage ensures they are available after a reboot or system crash. Run the command below to verify that logs are being persistently stored to disk. grep "^\sStorage" /etc/systemd/journald.conf and it should return Storage=persistent Is it the case that is commented out or not configured correctly? If the system is configured to prevent the loading of the cramfs kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the dccp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r dccp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the rds kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r rds /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the sctp kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r sctp /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the tipc kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r tipc /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? If the system is configured to prevent the loading of the usb-storage kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/false) upon a module install event. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d Is it the case that no line is returned? Verify the nodev option is configured for the /dev/shm mount point, run the following command: $ sudo mount | grep '\s/dev/shm\s' . . . /dev/shm . . . nodev . . . Is it the case that the "/dev/shm" file system does not have the "nodev" option set? Verify the noexec option is configured for the /dev/shm mount point, run the following command: $ sudo mount | grep '\s/dev/shm\s' . . . /dev/shm . . . noexec . . . Is it the case that the "/dev/shm" file system does not have the "noexec" option set? Verify the nosuid option is configured for the /dev/shm mount point, run the following command: $ sudo mount | grep '\s/dev/shm\s' . . . /dev/shm . . . nosuid . . . Is it the case that the "/dev/shm" file system does not have the "nosuid" option set? Verify the nodev option is configured for the /home mount point, run the following command: $ sudo mount | grep '\s/home\s' . . . /home . . . nodev . . . Is it the case that the "/home" file system does not have the "nodev" option set? Verify the nosuid option is configured for the /home mount point, run the following command: $ sudo mount | grep '\s/home\s' . . . /home . . . nosuid . . . Is it the case that the "/home" file system does not have the "nosuid" option set? Verify the nodev option is configured for the /tmp mount point, run the following command: $ sudo mount | grep '\s/tmp\s' . . . /tmp . . . nodev . . . Is it the case that the "/tmp" file system does not have the "nodev" option set? Verify the noexec option is configured for the /tmp mount point, run the following command: $ sudo mount | grep '\s/tmp\s' . . . /tmp . . . noexec . . . Is it the case that the "/tmp" file system does not have the "noexec" option set? Verify the nosuid option is configured for the /tmp mount point, run the following command: $ sudo mount | grep '\s/tmp\s' . . . /tmp . . . nosuid . . . Is it the case that the "/tmp" file system does not have the "nosuid" option set? Verify the nodev option is configured for the /var/log/audit mount point, run the following command: $ sudo mount | grep '\s/var/log/audit\s' . . . /var/log/audit . . . nodev . . . Is it the case that the "/var/log/audit" file system does not have the "nodev" option set? Verify the noexec option is configured for the /var/log/audit mount point, run the following command: $ sudo mount | grep '\s/var/log/audit\s' . . . /var/log/audit . . . noexec . . . Is it the case that the "/var/log/audit" file system does not have the "noexec" option set? Verify the nosuid option is configured for the /var/log/audit mount point, run the following command: $ sudo mount | grep '\s/var/log/audit\s' . . . /var/log/audit . . . nosuid . . . Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set? Verify the nodev option is configured for the /var/log mount point, run the following command: $ sudo mount | grep '\s/var/log\s' . . . /var/log . . . nodev . . . Is it the case that the "/var/log" file system does not have the "nodev" option set? Verify the noexec option is configured for the /var/log mount point, run the following command: $ sudo mount | grep '\s/var/log\s' . . . /var/log . . . noexec . . . Is it the case that the "/var/log" file system does not have the "noexec" option set? Verify the nosuid option is configured for the /var/log mount point, run the following command: $ sudo mount | grep '\s/var/log\s' . . . /var/log . . . nosuid . . . Is it the case that the "/var/log" file system does not have the "nosuid" option set? Verify the nodev option is configured for the /var mount point, run the following command: $ sudo mount | grep '\s/var\s' . . . /var . . . nodev . . . Is it the case that the "/var" file system does not have the "nodev" option set? Verify the nosuid option is configured for the /var mount point, run the following command: $ sudo mount | grep '\s/var\s' . . . /var . . . nosuid . . . Is it the case that the "/var" file system does not have the "nosuid" option set? Verify the nodev option is configured for the /var/tmp mount point, run the following command: $ sudo mount | grep '\s/var/tmp\s' . . . /var/tmp . . . nodev . . . Is it the case that the "/var/tmp" file system does not have the "nodev" option set? Verify the noexec option is configured for the /var/tmp mount point, run the following command: $ sudo mount | grep '\s/var/tmp\s' . . . /var/tmp . . . noexec . . . Is it the case that the "/var/tmp" file system does not have the "noexec" option set? Verify the nosuid option is configured for the /var/tmp mount point, run the following command: $ sudo mount | grep '\s/var/tmp\s' . . . /var/tmp . . . nosuid . . . Is it the case that the "/var/tmp" file system does not have the "nosuid" option set? Run the following commands and verify that base chains policy is drop: $ sudo nft list ruleset | grep 'hook input' Output should include a list of nftables similar to: type filter hook input priority 0; policy drop; Same goes not only for hook input, but also output and forward Is it the case that default policy is not set for nftables rules? Run the following commands to verify that input, forward, and output base chains are configured to be applied to a nftables ruleset on boot. Run the following command to verify the input base chain: # awk '/hook input/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' \ ) or for forward base chain: # awk '/hook forward/,/}/' $(awk '$1 ~ /^\s*include/ { gsub("\"","",$2);print $2 }' \ ) Review the base chains to ensure that they follow local site policy Is it the case that no nftables configuration exist? To verify that null passwords cannot be used, run the following command: grep nullok /etc/pam.d/common-password If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. Is it the case that NULL passwords can be used? To verify that null passwords cannot be used, run the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If this produces any output, it may be possible to log into accounts with empty passwords. Is it the case that Blank or NULL passwords can be used? The following command will locate the mount points related to local devices: $ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) The following command will show files which do not belong to a valid user: $ sudo find MOUNTPOINT -xdev -nouser 2>/dev/null Replace MOUNTPOINT by the mount points listed by the fist command. No files without a valid user should be located. Is it the case that files exist that are not owned by a valid user? To check the system for the existence of any .forward files, run the following command: $ sudo find /home -xdev -name .forward Is it the case that any .forward files exist? To check the system for the existence of any .netrc files, run the following command: $ sudo find /home -xdev -name .netrc Is it the case that any .netrc files exist? To verify that nologin is not listed in /etc/shells, run: $ grep nologin /etc/shells The command should return no output. Is it the case that nologin is listed in /etc/shells? The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. Is it the case that these files exist? To obtain a listing of all users, their UIDs, and their shells, run the command: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than 1000, other than root. Is it the case that any system account other than root has a login shell? Run the following command to determine if the aide package is installed: $ dpkg -l aide Is it the case that the package is not installed? Is it the case that the package is not installed? Run the following command to determine if the audit package is installed: $ dpkg -l audit Is it the case that the audit package is not installed? The autofs package can be removed with the following command: $ apt-get remove autofs Is it the case that ? Run the following command to determine if the avahi package is installed: $ dpkg -l avahi Is it the case that the package is installed? Run the following command to determine if the bind package is installed: $ dpkg -l bind Is it the case that the package is installed? Run the following command to determine if the chrony package is installed: $ dpkg -l chrony Is it the case that the package is not installed? Run the following command to determine if the cron package is installed: $ dpkg -l cron Is it the case that the package is installed? Run the following command to determine if the cups package is installed: $ dpkg -l cups Is it the case that the package is installed? Run the following command to determine if the isc-dhcp-server package is installed: $ dpkg -l isc-dhcp-server Is it the case that the package is installed? Run the following command to determine if the dnsmasq package is installed: $ dpkg -l dnsmasq Is it the case that the package is installed? Run the following command to determine if the dovecot-core package is installed: $ dpkg -l dovecot-core Is it the case that the package is installed? The ftp package can be removed with the following command: $ apt-get remove ftp Is it the case that ? To ensure the gdm3 package group is removed, run the following command: $ dpkg -l gdm3 The output should begin with: rc gdm3 Or dpkg-query: no packages found matching gdm3 Is it the case that gdm3 has not been removed? Run the following command to determine if the apache2 package is installed: $ dpkg -l apache2 Is it the case that the package is installed? Run the following command to determine if the iptables-persistent package is installed: $ dpkg -l iptables-persistent Is it the case that the package is not installed? Run the following command to determine if the iptables-persistent package is installed: $ dpkg -l iptables-persistent Is it the case that the package is installed? Run the following command to determine if the iptables package is installed: $ dpkg -l iptables Is it the case that the package is not installed? Run the following command to determine if the snmp package is installed: $ dpkg -l snmp Is it the case that the package is installed? Run the following command to determine if the nfs-kernel-server package is installed: $ dpkg -l nfs-kernel-server Is it the case that the package is installed? Run the following command to determine if the nftables package is installed: $ dpkg -l nftables Is it the case that the package is not installed? Run the following command to determine if the nginx package is installed: $ dpkg -l nginx Is it the case that the package is installed? Run the following command to determine if the ldap-utils package is installed: $ dpkg -l ldap-utils Is it the case that the package is installed? To verify the slapd package is not installed, run the following command: $ dpkg -l slapd The output should show the following: package slapd is not installed Is it the case that it does not? Run the following command to determine if the opensc-pkcs11 package is installed: $ dpkg -l opensc-pkcs11 Is it the case that the package is not installed? Run the following command to determine if the openssh-server package is installed: $ dpkg -l openssh-server Is it the case that the package is not installed? Run the following command to determine if the libpam-pwquality package is installed: $ dpkg -l libpam-pwquality Is it the case that the package is not installed? Run the following command to determine if the rpcbind package is installed: $ dpkg -l rpcbind Is it the case that the package is installed? Run the following command to determine if the rsh-server package is installed: $ dpkg -l rsh-server Is it the case that the package is installed? The rsh-client package can be removed with the following command: $ apt-get remove rsh-client Is it the case that ? Run the following command to determine if the rsync package is installed: $ dpkg -l rsync Is it the case that the package is installed? Run the following command to determine if the rsyslog package is installed: $ dpkg -l rsyslog Is it the case that the package is not installed? Run the following command to determine if the samba package is installed: $ dpkg -l samba Is it the case that the package is installed? Run the following command to determine if the squid package is installed: $ dpkg -l squid Is it the case that the package is installed? Run the following command to determine if the sudo package is installed: $ dpkg -l sudo Is it the case that the package is not installed? Run the following command to determine if the systemd-journal-remote package is installed: $ dpkg -l systemd-journal-remote Is it the case that the package is not installed? Run the following command to determine if the talk package is installed: $ dpkg -l talk Is it the case that the package is installed? The telnet package can be removed with the following command: $ apt-get remove telnet Is it the case that ? Run the following command to determine if the tftpd-hpa package is installed: $ dpkg -l tftpd-hpa Is it the case that the package is installed? Run the following command to determine if the ufw package is installed: $ dpkg -l ufw Is it the case that the package is not installed? Run the following command to determine if the ufw package is installed: $ dpkg -l ufw Is it the case that the package is installed? Run the following command to determine if the vsftpd package is installed: $ dpkg -l vsftpd Is it the case that the package is installed? Run the following command to determine if the xinetd package is installed: $ dpkg -l xinetd Is it the case that the package is installed? To ensure the X Windows package group is removed, run the following command: $ rpm -qi xorg-x11-server-common The output should be: package xorg-x11-server-common is not installed Is it the case that the X Windows package group or xorg-x11-server-common has not be removed? Run the following command to determine if the ypserv package is installed: $ dpkg -l ypserv Is it the case that the package is installed? Verify that a separate file system/partition has been created for /dev/shm with the following command: $ mountpoint /dev/shm Is it the case that "/dev/shm is not a mountpoint" is returned? Verify that a separate file system/partition has been created for /home with the following command: $ mountpoint /home Is it the case that "/home is not a mountpoint" is returned? Verify that a separate file system/partition has been created for /tmp with the following command: $ mountpoint /tmp Is it the case that "/tmp is not a mountpoint" is returned? Verify that a separate file system/partition has been created for /var with the following command: $ mountpoint /var Is it the case that "/var is not a mountpoint" is returned? Verify that a separate file system/partition has been created for /var/log with the following command: $ mountpoint /var/log Is it the case that "/var/log is not a mountpoint" is returned? Verify that a separate file system/partition has been created for /var/log/audit with the following command: $ mountpoint /var/log/audit Is it the case that "/var/log/audit is not a mountpoint" is returned? Verify that a separate file system/partition has been created for /var/tmp with the following command: $ mountpoint /var/tmp Is it the case that "/var/tmp is not a mountpoint" is returned? Verify the operating system has all system log files under the /var/log directory with a permission set to 640, by using the following command: sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \; Is it the case that not all log files have permission 640 or stricter? Run the following command to ensure postfix accepts mail messages from only the local system: $ grep inet_interfaces /etc/postfix/main.cf If properly configured, the output should show only . Is it the case that it does not? Verify the operating system prevents direct logins to the root account with the following command: $ sudo passwd -S root root L 04/23/2020 0 99999 7 -1 If the output does not contain "L" in the second field to indicate the account is locked, then run the following command: $ sudo passwd -l root Is it the case that the output does not contain "L" in the second field? Verify the system-wide shared library files are group-owned by root or a required system account with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; Is it the case that any system wide shared library file is returned and is not group-owned by root or a required system account? The group-owner of all log files written by rsyslog should be adm. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the group-owner is not correct? The owner of all log files written by rsyslog should be syslog. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: $ ls -l LOGFILE Is it the case that the owner is not correct? The file permissions for all log files written by rsyslog should be set to 640, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the permissions of a given log file, run the following command: $ ls -l LOGFILE The permissions should be 640, or more restrictive. Is it the case that the permissions are not correct? To verify that remote access methods are logging to rsyslog, run the following command: grep -rE '^(auth\.\*,authpriv\.\*|daemon\.\*)' /etc/rsyslog.* The output should contain auth.*, authpriv.*, and daemon.* pointing to a log file. Is it the case that remote access methods are not logging to rsyslog? Run the following command to determine the current status of the auditd service: $ sudo systemctl is-active auditd If the service is running, it should return the following: active Is it the case that the auditd service is not running? To check that the autofs service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled autofs Output should indicate the autofs service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled autofs disabled Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active autofs If the service is not running the command will return the following output: inactive The service will also be masked, to check that the autofs is masked, run the following command: $ sudo systemctl show autofs | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "autofs" is loaded and not masked? To check that the avahi-daemon service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled avahi-daemon Output should indicate the avahi-daemon service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled avahi-daemon disabled Run the following command to verify avahi-daemon is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active avahi-daemon If the service is not running the command will return the following output: inactive The service will also be masked, to check that the avahi-daemon is masked, run the following command: $ sudo systemctl show avahi-daemon | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "avahi-daemon" is loaded and not masked? To check that the bluetooth service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled bluetooth Output should indicate the bluetooth service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled bluetooth disabled Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active bluetooth If the service is not running the command will return the following output: inactive The service will also be masked, to check that the bluetooth is masked, run the following command: $ sudo systemctl show bluetooth | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "bluetooth" is loaded and not masked? Run the following command to determine the current status of the chronyd service: $ sudo systemctl is-active chronyd If the service is running, it should return the following: active Is it the case that the chronyd process is not running? Run the following command to determine the current status of the cron service: $ sudo systemctl is-active cron If the service is running, it should return the following: active Is it the case that ? To check that the cups service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled cups Output should indicate the cups service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled cups disabled Run the following command to verify cups is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active cups If the service is not running the command will return the following output: inactive The service will also be masked, to check that the cups is masked, run the following command: $ sudo systemctl show cups | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "cups" is loaded and not masked? To check that the dhcpd service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled dhcpd Output should indicate the dhcpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled dhcpd disabled Run the following command to verify dhcpd is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active dhcpd If the service is not running the command will return the following output: inactive The service will also be masked, to check that the dhcpd is masked, run the following command: $ sudo systemctl show dhcpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "dhcpd" is loaded and not masked? To check that the dovecot service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled dovecot Output should indicate the dovecot service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled dovecot disabled Run the following command to verify dovecot is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active dovecot If the service is not running the command will return the following output: inactive The service will also be masked, to check that the dovecot is masked, run the following command: $ sudo systemctl show dovecot | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "dovecot" is loaded and not masked? To check that the apache2 service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled apache2 Output should indicate the apache2 service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled apache2 disabled Run the following command to verify apache2 is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active apache2 If the service is not running the command will return the following output: inactive The service will also be masked, to check that the apache2 is masked, run the following command: $ sudo systemctl show apache2 | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "apache2" is loaded and not masked? To check that the kdump-tools service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled kdump-tools Output should indicate the kdump-tools service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled kdump-tools disabled Run the following command to verify kdump-tools is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active kdump-tools If the service is not running the command will return the following output: inactive The service will also be masked, to check that the kdump-tools is masked, run the following command: $ sudo systemctl show kdump-tools | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "kdump-tools" is loaded and not masked? To check that the nfs-server service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled nfs-server Output should indicate the nfs-server service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled nfs-server disabled Run the following command to verify nfs-server is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active nfs-server If the service is not running the command will return the following output: inactive The service will also be masked, to check that the nfs-server is masked, run the following command: $ sudo systemctl show nfs-server | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "nfs-server" is loaded and not masked? To check that the nftables service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled nftables Output should indicate the nftables service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled nftables disabled Run the following command to verify nftables is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active nftables If the service is not running the command will return the following output: inactive The service will also be masked, to check that the nftables is masked, run the following command: $ sudo systemctl show nftables | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "nftables" is loaded and not masked? Run the following command to determine the current status of the nftables service: $ sudo systemctl is-active nftables If the service is running, it should return the following: active Is it the case that the "nftables" service is disabled, masked, or not started.? To check that the nginx service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled nginx Output should indicate the nginx service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled nginx disabled Run the following command to verify nginx is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active nginx If the service is not running the command will return the following output: inactive The service will also be masked, to check that the nginx is masked, run the following command: $ sudo systemctl show nginx | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "nginx" is loaded and not masked? To check that the rsyncd service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled rsyncd Output should indicate the rsyncd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled rsyncd disabled Run the following command to verify rsyncd is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active rsyncd If the service is not running the command will return the following output: inactive The service will also be masked, to check that the rsyncd is masked, run the following command: $ sudo systemctl show rsyncd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "rsyncd" is loaded and not masked? Run the following command to determine the current status of the rsyslog service: $ sudo systemctl is-active rsyslog If the service is running, it should return the following: active Is it the case that the "rsyslog" service is disabled, masked, or not started.? To check that the slapd service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled slapd Output should indicate the slapd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled slapd disabled Run the following command to verify slapd is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active slapd If the service is not running the command will return the following output: inactive The service will also be masked, to check that the slapd is masked, run the following command: $ sudo systemctl show slapd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "slapd" is loaded and not masked? To check that the smb service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled smb Output should indicate the smb service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled smb disabled Run the following command to verify smb is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active smb If the service is not running the command will return the following output: inactive The service will also be masked, to check that the smb is masked, run the following command: $ sudo systemctl show smb | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "smb" is loaded and not masked? To check that the snmpd service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled snmpd Output should indicate the snmpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled snmpd disabled Run the following command to verify snmpd is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active snmpd If the service is not running the command will return the following output: inactive The service will also be masked, to check that the snmpd is masked, run the following command: $ sudo systemctl show snmpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "snmpd" is loaded and not masked? To check that the squid service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled squid Output should indicate the squid service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled squid disabled Run the following command to verify squid is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active squid If the service is not running the command will return the following output: inactive The service will also be masked, to check that the squid is masked, run the following command: $ sudo systemctl show squid | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "squid" is loaded and not masked? Run the following command to determine the current status of the sshd service: $ sudo systemctl is-active sshd If the service is running, it should return the following: active Is it the case that sshd service is disabled? Run the following command to determine the current status of the systemd-journal-upload service: $ sudo systemctl is-active systemd-journal-upload If the service is running, it should return the following: active Is it the case that the systemd-journal-upload service is not running? Run the following command to determine the current status of the systemd-journald service: $ sudo systemctl is-active systemd-journald If the service is running, it should return the following: active Is it the case that the systemd-journald service is not running? To check that the tftpd-hpa service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled tftpd-hpa Output should indicate the tftpd-hpa service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled tftpd-hpa disabled Run the following command to verify tftpd-hpa is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active tftpd-hpa If the service is not running the command will return the following output: inactive The service will also be masked, to check that the tftpd-hpa is masked, run the following command: $ sudo systemctl show tftpd-hpa | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "tftpd-hpa" is loaded and not masked? Review /etc/systemd/timesyncd.conf and ensure that the NTP servers, NTP FallbackNTP servers are listed in accordance with local policy. Is it the case that a remote time server is not configured? Run the following command to determine the current status of the systemd_timesyncd service: $ sudo systemctl is-active systemd_timesyncd If the service is running, it should return the following: active Is it the case that ? Run the following command to determine the current status of the ufw service: $ sudo systemctl is-active ufw If the service is running, it should return the following: active Is it the case that the service is not enabled? To check that the vsftpd service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled vsftpd Output should indicate the vsftpd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled vsftpd disabled Run the following command to verify vsftpd is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active vsftpd If the service is not running the command will return the following output: inactive The service will also be masked, to check that the vsftpd is masked, run the following command: $ sudo systemctl show vsftpd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "vsftpd" is loaded and not masked? If network services are using the xinetd service, this is not applicable. To check that the xinetd service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled xinetd Output should indicate the xinetd service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled xinetd disabled Run the following command to verify xinetd is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active xinetd If the service is not running the command will return the following output: inactive The service will also be masked, to check that the xinetd is masked, run the following command: $ sudo systemctl show xinetd | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "xinetd" is loaded and not masked? To check that the ypserv service is disabled in system boot configuration, run the following command: $ sudo systemctl is-enabled ypserv Output should indicate the ypserv service has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled ypserv disabled Run the following command to verify ypserv is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active ypserv If the service is not running the command will return the following output: inactive The service will also be masked, to check that the ypserv is masked, run the following command: $ sudo systemctl show ypserv | grep "LoadState\|UnitFileState" If the service is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the "ypserv" is loaded and not masked? If IPv6 is disabled, this is not applicable. Inspect the file /etc/sysconfig/ip6tables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/ip6tables Is it the case that the default policy for the INPUT chain is not set to DROP? Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: $ sudo grep ":INPUT" /etc/sysconfig/iptables Is it the case that the default policy for the INPUT chain is not set to DROP? Verify that the ipv6 loopback interface has required rules in order: $ iptables -L INPUT -v -n Is it the case that ipv6 loopback traffic is not configured? Run the following commands and verify output: # iptables -L INPUT -v -n | grep lo | grep ACCEPT # iptables -L INPUT -v -n | grep 127.0.0.0\/8 | grep DROP # iptables -L OUTPUT -v -n | grep lo | grep ACCEPT Is it the case that loopback traffic is not configured? To verify that base chains exist for INPUT, FORWARD, and OUTPUT, run the following commands: $ sudo nft list ruleset | grep 'hook input' $ sudo nft list ruleset | grep 'hook forward' $ sudo nft list ruleset | grep 'hook output' Output should be similar to: type filter hook input priority 0; type filter hook forward priority 0; type filter hook output priority 0; Is it the case that base chains do not exist for nftables? Verify that the loopback interface is configured: # nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' iif "lo" accept If IPv6 is enabled, verify that the IPv6 loopback interface is configured: # nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop Is it the case that nftables loopback traffic is not configured? To verify that a nftables table exists, run the following command: $ sudo nft list tables Output should include a list of nftables similar to: table Is it the case that a nftables table does not exist? Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: $ sudo grep -i ENCRYPT_METHOD /etc/login.defs ENCRYPT_METHOD Is it the case that ENCRYPT_METHOD is not set to <sub idref="var_password_hashing_algorithm" />? Inspect the password section of /etc/pam.d/common-password and ensure that the pam_unix.so module is configured to use the argument : $ sudo grep "^password.*pam_unix\.so.*" /etc/pam.d/common-password password [success=1 default=ignore] pam_unix.so Is it the case that "<sub idref="var_password_hashing_algorithm_pam" />" is missing, or is commented out? Run the following command and verify that the default policy for incoming, outgoing, and routed directions is deny, reject, or disabled: # ufw status verbose | grep Default: Example output: Default: deny (incoming), deny (outgoing), disabled (routed) Is it the case that the default policy for the incoming, outgoing and routed is not set to deny, reject or disabled? Run the following commands to implement the loopback rules: # ufw allow in on lo # ufw allow out on lo # ufw deny in from 127.0.0.0/8 # ufw deny in from ::1 Is it the case that loopback traffic is not configured? To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ca is not configured? To verify the operating system implements certificate status checking for PKI authentication, run the following command: $ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf The output should return multiple lines similar to the following: cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; cert_policy = ca, ocsp_on, signature; Is it the case that ocsp_on is not configured? To verify the operating system implements local cache of revocation data for PKI authentication, run the following command: sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- 'crl_auto|crl_offline' The output should return multiple lines similar to the following: cert_policy = ca,signature,ocsp_on,crl_auto; Is it the case that crl_auto or crl_offline is not configured? Remote access is access to nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Check that the pam_pkcs11.so option is configured in the etc/pam.d/common-auth file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth [success=2 default=ignore] pam_pkcs11.so If pam_pkcs11.so is not set in etc/pam.d/common-auth this is a finding. Is it the case that non-exempt accounts are not using CAC authentication? To check that the systemd-journal-remote.socket socket is disabled in system boot configuration with systemd, run the following command: $ systemctl is-enabled systemd-journal-remote.socket Output should indicate the systemd-journal-remote.socket socket has either not been installed, or has been disabled at all runlevels, as shown in the example below: $ sudo systemctl is-enabled systemd-journal-remote.socketdisabled Run the following command to verify systemd-journal-remote.socket is not active (i.e. not running) through current runtime configuration: $ sudo systemctl is-active systemd-journal-remote.socket If the socket is not running the command will return the following output: inactive The socket will also be masked, to check that the systemd-journal-remote.socket is masked, run the following command: $ sudo systemctl show systemd-journal-remote.socket | grep "LoadState\|UnitFileState" If the socket is masked the command will return the following outputs: LoadState=masked UnitFileState=masked Is it the case that the systemd-journal-remote socket is not masked? To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command: $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's DisableForwarding option is set, run the following command: $ sudo grep -i DisableForwarding /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i DisableForwarding /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating yes is returned, then the required value is set. Is it the case that The DisableForwarding option doesn't exist or isn't set to yes? To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command: $ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's IgnoreRhosts option is set, run the following command: $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's PermitRootLogin option is set, run the following command: $ sudo grep -i PermitRootLogin /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's X11Forwarding option is set, run the following command: $ sudo grep -i X11Forwarding /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i X11Forwarding /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command: $ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating no is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's UsePAM option is set, run the following command: $ sudo grep -i UsePAM /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command: $ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf If a line indicating yes is returned, then the required value is set. Is it the case that the required value is not set? To determine how the SSH daemon's Banner option is set, run the following command: $ sudo grep -i Banner /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf If a line indicating /etc/issue.net is returned, then the required value is set. Is it the case that the required value is not set? To ensure sshd limits the users who can log in, run the following: $ sudo grep -rPi '^\h*(allow|deny)(users|groups)\h+\H+(\h+.*)?$' /etc/ssh/sshd_config* If properly configured, the output should be a list of usernames and/or groups allowed to log in to this system. Is it the case that sshd does not limit the users who can log in? Run the following command to see what the timeout interval is: $ sudo grep ClientAliveInterval /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveInterval Is it the case that it is commented out or not configured properly? To ensure ClientAliveInterval is set correctly, run the following command: $ sudo grep ClientAliveCountMax /etc/ssh/sshd_config If properly configured, the output should be: ClientAliveCountMax For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes a timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds without receiving a keep alive message. Is it the case that it is commented out or not configured properly? To ensure LoginGraceTime is set correctly, run the following command: $ sudo grep LoginGraceTime /etc/ssh/sshd_config If properly configured, the output should be: LoginGraceTime If the option is set to a number greater than 0, then the unauthenticated session will be disconnected after the configured number seconds. Is it the case that it is commented out or not configured properly? To determine how the SSH daemon's LogLevel option is set, run the following command: $ sudo grep -i LogLevel /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i LogLevel /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating INFO is returned, then the required value is set. Is it the case that the required value is not set? To ensure the MaxAuthTries parameter is set, run the following command: $ sudo grep MaxAuthTries /etc/ssh/sshd_config If properly configured, output should be: MaxAuthTries Is it the case that it is commented out or not configured properly? Run the following command to see what the max sessions number is: $ sudo grep MaxSessions /etc/ssh/sshd_config If properly configured, the output should be: MaxSessions Is it the case that MaxSessions is not configured or not configured correctly? To check if MaxStartups is configured, run the following command: $ sudo grep -r ^[\s]*MaxStartups /etc/ssh/sshd_config* If configured, this command should output the configuration. Is it the case that maxstartups is not configured? Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only following ciphers (or a subset) in the exact order: aes256-ctr,aes192-ctr,aes128-ctr Is it the case that FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved? Only FIPS-approved key exchange algorithms must be used. To verify that only FIPS-approved key exchange algorithms are in use, run the following command: $ sudo grep -i kexalgorithms /etc/ssh/sshd_config The output should contain only following algorithms (or a subset) in the exact order: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Is it the case that KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order? Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only following MACs (or a subset) in the exact order: MACs Is it the case that MACs option is commented out or not using FIPS-approved hash algorithms? Only strong ciphers should be used. To verify that only strong ciphers are in use, run the following command: $ sudo grep Ciphers /etc/ssh/sshd_config The output should contain only those ciphers which are considered strong, namely, chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr Is it the case that ciphers are not configured or not using strong ciphers? Only strong KEX algorithms should be used. To verify that only strong KexAlgorithms are in use, run the following command: $ sudo grep -i kexalgorithms /etc/ssh/sshd_config The output should contain only those KexAlgorithms which are strong, namely, Is it the case that KexAlgorithms option is commented out or not using strong hash algorithms? Only strong MACs should be used. To verify that only strong MACs are in use, run the following command: $ sudo grep -i macs /etc/ssh/sshd_config The output should contain only those MACs which are strong, namely, hash functions. Is it the case that MACs option is commented out or not using strong hash algorithms? To determine how the SSH daemon's X11UseLocalhost option is set, run the following command: $ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf $ sudo grep -i X11UseLocalhost /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf If a line indicating yes is returned, then the required value is set. Is it the case that the display proxy is listening on wildcard address? To verify that SSSD expires offline credentials, run the following command: $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf If configured properly, output should be offline_credentials_expiration = 1 Is it the case that it does not exist or is not configured properly? To determine if use_pty has been configured for sudo, run the following command: $ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/ The command should return a matching output. Is it the case that use_pty is not enabled in sudo? To determine if logfile has been configured for sudo, run the following command: $ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/ The command should return a matching output. Is it the case that logfile is not enabled in sudo? To determine if !authenticate has not been configured for sudo, run the following command: $ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that !authenticate is specified in the sudo config files? To determine if NOPASSWD or !authenticate have been configured for sudo, run the following command: $ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/ The command should return no output. Is it the case that nopasswd and/or !authenticate is enabled in sudo? Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges, run the following command: sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d The output should be: /etc/sudoers:Defaults timestamp_timeout=0 or "timestamp_timeout" is set to a positive number. If conflicting results are returned, this is a finding. Is it the case that timestamp_timeout is not set with the appropriate value for sudo? The runtime status of the fs.protected_hardlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_hardlinks 1. Is it the case that the correct value is not returned? The runtime status of the fs.protected_symlinks kernel parameter can be queried by running the following command: $ sysctl fs.protected_symlinks 1. Is it the case that the correct value is not returned? The runtime status of the fs.suid_dumpable kernel parameter can be queried by running the following command: $ sysctl fs.suid_dumpable 0. Is it the case that the correct value is not returned? The runtime status of the kernel.dmesg_restrict kernel parameter can be queried by running the following command: $ sysctl kernel.dmesg_restrict 1. Is it the case that the correct value is not returned? The runtime status of the kernel.randomize_va_space kernel parameter can be queried by running the following command: $ sysctl kernel.randomize_va_space 2. Is it the case that the correct value is not returned? The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried by running the following command: $ sysctl kernel.yama.ptrace_scope 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.accept_source_route 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.log_martians 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.rp_filter The output of the command should indicate either: net.ipv4.conf.all.rp_filter = 1 or: net.ipv4.conf.all.rp_filter = 2 The output of the command should not indicate: net.ipv4.conf.all.rp_filter = 0 The preferable way how to assure the runtime compliance is to have correct persistent configuration, and rebooting the system. The persistent sysctl parameter configuration is performed by specifying the appropriate assignment in any file located in the /etc/sysctl.d directory. Verify that there is not any existing incorrect configuration by executing the following command: $ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d The command should not find any assignments other than: net.ipv4.conf.all.rp_filter = 1 or: net.ipv4.conf.all.rp_filter = 2 Conflicting assignments are not allowed. Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0? The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.secure_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.all.send_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.accept_source_route 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.log_martians 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.rp_filter 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.secure_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv4.conf.default.send_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_echo_ignore_broadcasts 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command: $ sysctl net.ipv4.icmp_ignore_bogus_error_responses 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.ip_forward kernel parameter can be queried by running the following command: $ sysctl net.ipv4.ip_forward 0. The ability to forward packets is only appropriate for routers. Is it the case that the correct value is not returned? The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried by running the following command: $ sysctl net.ipv4.tcp_syncookies 1. Is it the case that the correct value is not returned? The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_ra 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.accept_source_route 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv6.conf.all.forwarding kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.all.forwarding 0. The ability to forward packets is only appropriate for routers. Is it the case that IP forwarding value is "1" and the system is not router? The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_ra 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_redirects 0. Is it the case that the correct value is not returned? The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried by running the following command: $ sysctl net.ipv6.conf.default.accept_source_route 0. Is it the case that the correct value is not returned? To ensure logs are sent securely to a remote host, examine the file /etc/systemd/journal-upload.conf(.d/*.conf). ServerKeyFile should be present: ServerKeyFile= ServerCertificateFile should be present: ServerCertificateFile= TrustedCertificateFile should be present: TrustedCertificateFile= Is it the case that systemd-journal-upload TLS configuration is missing or commented in /etc/systemd/journal-upload.conf? To ensure logs are sent to a remote host, examine the file /etc/systemd/journal-upload.conf(.d/*.conf). URL should be present: URL= Is it the case that systemd-journal-upload URL is missing or commented in /etc/systemd/journal-upload.conf? Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: $ sudo ufw show raw Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: $ sudo ufw allow "direction" "port/protocol/service" where the direction is "in" or "out" and the port is the one corresponding to the protocol or service allowed. To deny access to ports, protocols, or services, use: $ sudo ufw deny "direction" "port/protocol/service" Is it the case that unauthorized network services can be accessed from the network? Check all the services listening to the ports with the following command: $ sudo ss -l46ut Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 128 [::]:ssh [::]:* For each entry, verify that the ufw is configured to rate limit the service ports with the following command: $ sudo ufw status If any port with a state of "LISTEN" is not marked with the "LIMIT" action, run the following command, replacing "service" with the service that needs to be rate limited: $ sudo ufw limit "service" Rate-limiting can also be done on an interface. An example of adding a rate-limit on the eth0 interface follows: $ sudo ufw limit in on eth0 Is it the case that network interface not rate-limit? Run the following command to determine open ports: # ss -tuln Run the following command to determine firewall rules: # ufw status verbose For each port identified in the audit which does not have a firewall rule, add rule for accepting or denying inbound connections # ufw allow in / Is it the case that open ports are denied connection? Run the following command to check if the line is present: grep pam_wheel /etc/pam.d/su The output should contain the following line: auth required pam_wheel.so use_uid group= Is it the case that the line is not in the file or it is commented? Verify that use_mappers is set to pwent in /etc/pam_pkcs11/pam_pkcs11.conf file with the following command: $ grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf use_mappers = pwent Is it the case that use_mappers is not uncommented or configured correctly? Run the following command to determine if the vlock package is installed: $ dpkg -l vlock Is it the case that the package is not installed? Verify that there are no wireless interfaces configured on the system with the following command: $ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -a Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. Is it the case that a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)? To check that audit is enabled at boot time, check all boot entries with following command: sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf No line should be returned, each line returned is a boot entry that doesn't enable audit. Is it the case that auditing is not enabled at boot time? To check that all boot entries extend the backlog limit; Check that all boot entries extend the log events queue: sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf No line should be returned, each line returned is a boot entry that does not extend the log events queue. Is it the case that audit backlog limit is not configured?