OVALFileLinker from SCAP Security Guide ssg: [0, 1, 80], python: 3.10.12 5.11.2 2026-01-21T21:18:20 Make the auditd Configuration Immutable Ubuntu 22.04 Force a reboot to change audit rules is enabled Record Events that Modify the System's Network Environment Ubuntu 22.04 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. Record Attempts to Alter Process and Session Initiation Information Ubuntu 22.04 Audit rules should capture information about session initiation. Record Events When Executables Are Run As Another User Ubuntu 22.04 Ensure audit rule for all uses of privileged functions is enabled Record Events When Privileged Executables Are Run Ubuntu 22.04 Ensure audit rule for all uses of privileged functions is enabled Ensure auditd Collects System Administrator Actions Ubuntu 22.04 Audit actions taken by system administrators on the system. System Audit Logs Must Have Mode 0750 or Less Permissive Ubuntu 22.04 Checks for correct permissions for audit logs. System Audit Logs Must Be Group Owned By Root Ubuntu 22.04 Checks that all audit log files are group owned by the root user. System Audit Logs Must Be Group Owned By Root Ubuntu 22.04 Checks that all audit log files are group owned by the root user. System Audit Logs Must Be Owned By Root Ubuntu 22.04 Checks that all audit log files are owned by the root user. System Audit Logs Must Have Mode 0640 or Less Permissive Ubuntu 22.04 Checks for correct permissions for all audit log files. System Audit Logs Must Have Mode 0600 or Less Permissive Ubuntu 22.04 Checks for correct permissions for all audit log files. Ensure auditd Collects Information on the Use of Privileged Commands Ubuntu 22.04 Audit rules about the information on the use of privileged commands are enabled. Ensure auditd Collects Information on the Use of Privileged Commands - fdisk Ubuntu 22.04 Ensure audit rule for all uses of the fdisk command is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - kmod Ubuntu 22.04 Ensure audit rule for all uses of the kmod command is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - modprobe Ubuntu 22.04 Ensure audit rule for all uses of the modprobe command is enabled. Record attempts to alter time through adjtimex Ubuntu 22.04 Record attempts to alter time through adjtimex. Record Attempts to Alter Time Through clock_settime Ubuntu 22.04 Record attempts to alter time through clock_settime. Record attempts to alter time through settimeofday Ubuntu 22.04 Record attempts to alter time through settimeofday. Configure audispd Plugin To Send Logs To Remote Server Ubuntu 22.04 remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname Configure auditd Disk Error Action on Disk Error Ubuntu 22.04 disk_error_action setting in /etc/audit/auditd.conf is set to a certain action Configure auditd Disk Full Action when Disk Space Is Full Ubuntu 22.04 disk_full_action setting in /etc/audit/auditd.conf is set to a certain action Configure auditd mail_acct Action on Low Disk Space Ubuntu 22.04 action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account Configure auditd admin_space_left Action on Low Disk Space Ubuntu 22.04 admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action Configure auditd Max Log File Size Ubuntu 22.04 max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value Configure auditd max_log_file_action Upon Reaching Maximum Log Size Ubuntu 22.04 max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action Configure auditd space_left Action on Low Disk Space Ubuntu 22.04 space_left_action setting in /etc/audit/auditd.conf is set to a certain action Configure auditd space_left on Low Disk Space Ubuntu 22.04 space_left setting in /etc/audit/auditd.conf is set to at least a certain value Offload audit Logs to External Media Ubuntu 22.04 Check if a script for audit offload exists in /etc/cron.weekly/ Disable unauthenticated repositories in APT configuration Ubuntu 22.04 Accessing a repository should be allowed only when the repository is authenticated. Ensure Mail Transfer Agent is not Listening on any non-loopback Address Ubuntu 22.04 Verify MTA is not listening on any non-loopback address Disable Postfix Network Listening Ubuntu 22.04 Postfix network listening should be disabled Chrony Configure Pool and Server Ubuntu 22.04 A remote NTP Server for time synchronization should be specified (and dependencies are met) Configure Time Service Maxpoll Interval Ubuntu 22.04 Configure the maxpoll setting in /etc/ntp.conf or chrony.conf to continuously poll the time source servers. Ensure that chronyd is running under chrony user account Ubuntu 22.04 Ensure 'user' is configured with value '_chrony' in /etc/chrony/chrony.conf Ensure a Single Time Synchronization Service is in Use Ubuntu 22.04 Ensure a Single Time Synchronization Service is in Use Configure Systemd Timesyncd Servers Ubuntu 22.04 Ensure that timesyncd is enabled and configured Remove Rsh Trust Files Ubuntu 22.04 There should not be any .rhosts or hosts.equiv files on the system. Verify Permissions on SSH Server Private *_key Key Files Ubuntu 22.04 Limit Users' SSH Access Ubuntu 22.04 One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups. Set SSH Client Alive Interval Ubuntu 22.04 The SSH idle timeout interval should be set to an appropriate value. Ensure SSH LoginGraceTime is configured Ubuntu 22.04 The SSH number seconds for login grace time should be set to an appropriate value. Set SSH authentication attempt limit Ubuntu 22.04 The SSH MaxAuthTries should be set to an appropriate value. Set SSH MaxSessions limit Ubuntu 22.04 The SSH number of max sessions should be set to an appropriate value. Ensure SSH MaxStartups is configured Ubuntu 22.04 Ensure 'MaxStartups' is properly configured in SSH configuration files. Use Only FIPS 140-2 Validated Ciphers Ubuntu 22.04 Limit the ciphers to those which are FIPS-approved. Use Only FIPS 140-2 Validated Key Exchange Algorithms Ubuntu 22.04 Limit the KexAlgorithms to those which are FIPS-approved. Use Only FIPS 140-2 Validated MACs Ubuntu 22.04 Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. Use Only Strong Ciphers Ubuntu 22.04 Ensure 'Ciphers' is configured with value '((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Use Only Strong Key Exchange algorithms Ubuntu 22.04 Limit the Key Exchange Algorithms to those which are FIPS-approved. Use Only Strong MACs Ubuntu 22.04 Ensure only strong MAC algorithms are used Configure SSSD to Expire Offline Credentials Ubuntu 22.04 SSSD should be configured to expire offline credentials after 1 day. Modify the System Login Banner for Remote Connections Ubuntu 22.04 The system login banner text should be set correctly. Enable GNOME3 Login Warning Banner Ubuntu 22.04 Enable the GNOME3 Login warning banner. Set the GNOME3 Login Warning Banner Text Ubuntu 22.04 Enable the GUI warning banner. Verify pam_unix module is activated Ubuntu 22.04 Ensure pam_unix.so is properly configured in PAM configuration files Verify pam_pwhistory module is activated Ubuntu 22.04 The passwords to remember should be set correctly. Limit Password Reuse Ubuntu 22.04 Enforce password history for root of pam_pwhistory. Limit Password Reuse Ubuntu 22.04 The passwords to remember of pam_pwhistory should be set correctly. Enforce Password History with use_authtok Ubuntu 22.04 Configure the system to include use_authtok for pam_pwhistory common_password configuration file Require use_authtok for pam_unix.so Ubuntu 22.04 Configure the system to include use_authtok in pam common_password configuration file Account Lockouts Must Be Logged Ubuntu 22.04 Account Lockouts Must Be Logged Ensure pam_faillock module is enabled Ubuntu 22.04 Do Not Show System Messages When Unsuccessful Logon Attempts Occur Ubuntu 22.04 Prevent System Messages When Three Unsuccessful Logon Attempts Occur Ensure PAM Enforces Password Requirements - Enforce for root User Ubuntu 22.04 The password policy should also be enforced for root. Verify pam_pwquality module is activated Ubuntu 22.04 Check pam_pwquality module is enabled Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session Ubuntu 22.04 The password retry should meet minimum requirements Set Password Hashing Algorithm in /etc/login.defs Ubuntu 22.04 The password hashing algorithm should be set correctly in /usr/etc/login.defs. Set PAM Password Hashing Algorithm - system-auth Ubuntu 22.04 The password hashing algorithm should be set correctly in {{{ pam_file }}}. Disable Ctrl-Alt-Del Reboot Activation Ubuntu 22.04 By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed. Configure Smart Card Certificate Authority Validation Ubuntu 22.04 Enable Smart Card CA Checks Configure Smart Card Certificate Status Checking Ubuntu 22.04 Enable Smart Card Login Configure Smart Card Local Cache of Revocation Data Ubuntu 22.04 Enable local cache of revocation data for PKI-based authentication Enable Smart Card Logins in PAM Ubuntu 22.04 Enable Smart Card logins using PAM Ensure All Accounts on the System Have Unique User IDs Ubuntu 22.04 All accounts on the system should have unique IDs for proper accountability. Ensure All Groups on the System Have Unique Group ID Ubuntu 22.04 All groups on the system should have unique names for proper accountability. Ensure All Groups on the System Have Unique Group Names Ubuntu 22.04 All groups on the system should have unique names for proper accountability. Ensure nologin Shell is Not Listed in /etc/shells Ubuntu 22.04 The nologin shell should not be listed in /etc/shells. Set Account Expiration Following Inactivity Ubuntu 22.04 The accounts should be configured to expire automatically following password expiration. Ensure All Accounts on the System Have Unique Names Ubuntu 22.04 All accounts on the system should have unique names for proper accountability. Ensure shadow Group is Empty Ubuntu 22.04 Ensure shadow group is empty Set Password Maximum Age Ubuntu 22.04 The maximum password age policy should meet minimum requirements. Set Password Minimum Age Ubuntu 22.04 The minimum password age policy should be set appropriately. Set Existing Passwords Maximum Age Ubuntu 22.04 Set Existing Passwords Maximum Age Set Existing Passwords Minimum Age Ubuntu 22.04 Set Existing Passwords Maximum Age Set Password Warning Age Ubuntu 22.04 The password expiration warning age should be set appropriately. Set existing passwords a period of inactivity before they been locked Ubuntu 22.04 Set existing passwords a period of inactivity before they been locked Verify All Account Password Hashes are Shadowed Ubuntu 22.04 All password hashes should be shadowed. Ensure all users last password change date is in the past Ubuntu 22.04 All passwords last change date is in the past. Avoid using remember in pam_unix module Ubuntu 22.04 The pam_unix module should not include remember option All GIDs referenced in /etc/passwd must be defined in /etc/group Ubuntu 22.04 All GIDs referenced in /etc/passwd must be defined in /etc/group. Ensure no duplicate UIDs exist Ubuntu 22.04 Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Prevent Login to Accounts With Empty Password Ubuntu 22.04 The file /etc/pam.d/system-auth should not contain the nullok option Ensure There Are No Accounts With Blank or Null Passwords Ubuntu 22.04 The file /etc/shadow shows that there aren't empty passwords Prevent Login to Accounts With Empty Password Ubuntu 22.04 The file /etc/pam.d/common-* should not contain the nullok option Verify No .forward Files Exist Ubuntu 22.04 The .forward file specifies an email address to forward the user's mail to. Any .forward files should be removed. Verify No netrc Files Exist Ubuntu 22.04 The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. Verify Only Root Has UID 0 Ubuntu 22.04 Only the root account should be assigned a user id of 0. Verify Root Has A Primary GID 0 Ubuntu 22.04 The root account should have primary group of 0 Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty Ubuntu 22.04 Group referred by var_pam_wheel_group_for_su variable exists and has no members. Ensure root account access is controlled Ubuntu 22.04 Ensure root account access is controlled Verify Only Group Root Has GID 0 Ubuntu 22.04 Only the root group should be assigned a GID of 0. Verify Non-Interactive Accounts Are Locked Ubuntu 22.04 Ensure Accounts Without Valid Login Shell Are Locked Ensure that System Accounts Do Not Run a Shell Upon Login Ubuntu 22.04 The root account is the only system account that should have a login shell. Direct root Logins Are Not Allowed Ubuntu 22.04 Direct root Logins Are Not Allowed Enforce Usage of pam_wheel with Group Parameter for su Authentication Ubuntu 22.04 Only members of the group set in variable 'var_pam_wheel_group_for_su' should be able to authenticate through the su command. Limit the Number of Concurrent Login Sessions Allowed Per User Ubuntu 22.04 The maximum number of concurrent login sessions per user should meet minimum requirements. Set Interactive Session Timeout Ubuntu 22.04 Checks interactive shell timeout User Initialization Files Must Be Group-Owned By The Primary Group Ubuntu 22.04 User Initialization Files Must Be Group-Owned By The Primary Group User Initialization Files Must Be Owned By the Primary User Ubuntu 22.04 User Initialization Files Must Be Owned By the Primary User All Interactive Users Home Directories Must Exist Ubuntu 22.04 All Interactive Users Home Directories Must Exist All Interactive User Home Directories Must Be Group-Owned By The Primary Group Ubuntu 22.04 All interactive user's Home Directories must be group-owned by its user All Interactive User Home Directories Must Be Owned By The Primary User Ubuntu 22.04 All interactive user's Home Directories must be owned by its user Ensure User Bash History File Has Correct Permissions Ubuntu 22.04 User Bash History File Has Correct Permissions Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Ubuntu 22.04 User initialization files have mode 0740 or less permissive All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Ubuntu 22.04 All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Ensure that Root's Path Does Not Include World or Group-Writable Directories Ubuntu 22.04 Check each directory in root's path and make use it does not grant write permission to group and other Ensure that All Root's Path Directories Are Owned by Root Ubuntu 22.04 Check each directory in root's path and make sure it is owned by root Ensure that All Entries in The Path of Root Are Directories Ubuntu 22.04 Check each directory in root's path and ensure it is a directory Ensure that Root's Path Does Not Include Relative Paths or Null Directories Ubuntu 22.04 The environment variable PATH should be set correctly for the root user. Ensure the Default Bash Umask is Set Correctly Ubuntu 22.04 The default umask for users of the bash shell Ensure the Default Umask is Set Correctly in login.defs Ubuntu 22.04 The default umask for all users specified in {{{ login_defs_path }}} Ensure the Default Umask is Set Correctly in /etc/profile Ubuntu 22.04 The default umask for all users should be set correctly Ensure the Root Bash Umask is Set Correctly Ubuntu 22.04 The umask for root user of the bash shell All AppArmor Profiles are in enforce or complain mode Ubuntu 22.04 Ensure AppArmor profiles are in enforce complain mode Ensure AppArmor is enabled in the bootloader configuration Ubuntu 22.04 Ensure AppArmor is enabled in the bootloader configuration Set Boot Loader Password in grub2 Ubuntu 22.04 The grub2 boot loader should have password protection enabled. Set the UEFI Boot Loader Password Ubuntu 22.04 The UEFI grub2 boot loader should have password protection enabled. Ensure real-time clock is set to UTC Ubuntu 22.04 Ensure RTC is using UTC as its time base Ensure remote access methods are monitored in Rsyslog Ubuntu 22.04 Rsyslog should be configured to monitor remote access methods. Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile Ubuntu 22.04 systemd-journal-upload server TLS configuration in /etc/systemd/journal-upload.conf Configure systemd-journal-upload URL Ubuntu 22.04 systemd-journal-upload URL in /etc/systemd/journal-upload.conf is configured Ensure Logrotate Runs Periodically Ubuntu 22.04 The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily Ensure nftables Rules are Permanent Ubuntu 22.04 Make sure that there is permanent nftables configuration file used to save and re-apply rules on reboot Deactivate Wireless Network Interfaces Ubuntu 22.04 All wireless interfaces should be disabled. Verify that All World-Writable Directories Have Sticky Bits Set Ubuntu 22.04 The sticky bit should be set for all world-writable directories. Ensure No World-Writable Files Exist Ubuntu 22.04 The world-write permission should be disabled for all files. Ensure All Files Are Owned by a Group Ubuntu 22.04 All files should be owned by a group Verify ownership of log files Ubuntu 22.04 Group owner of /var/log/* should be root or adm. Verify ownership of log files Ubuntu 22.04 Owner of /var/log/* should be root or syslog. Verify that system commands files are group owned by root or a system account Ubuntu 22.04 Checks that system commands in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin are owned by system group. Verify that System Executables Have Root Ownership Ubuntu 22.04 Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, /usr/libexec, and objects therein, are owned by root. Verify that System Executables Have Restrictive Permissions Ubuntu 22.04 Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable. Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root or a required system account. Ubuntu 22.04 Verify the system-wide library files in directories /lib, /lib64, /usr/lib/ and /usr/lib64 are group-owned by root. Disable Core Dumps for All Users Ubuntu 22.04 Core dumps for all users should be disabled Enable NX or XD Support in the BIOS Ubuntu 22.04 The NX (no-execution) bit flag should be set on the system. Encrypt Partitions Ubuntu 22.04 Verify all partitions are encrypted except /boot /boot/efi Configure GNOME3 DConf User Profile Ubuntu 22.04 The DConf User and gdm profiles should have the correct DB configured. Disable the GNOME3 Login User List Ubuntu 22.04 Disable the GNOME3 GUI listing of all known users on the login screen. Disable XDMCP in GDM Ubuntu 22.04 Ensure 'Enable' is configured with value 'false in section 'xdmcp' in /etc/gdm3/custom.conf Disable GNOME3 automount Ubuntu 22.04 The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount within GNOME3. Disable GNOME3 automount-open Ubuntu 22.04 The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount-open within GNOME3. Disable GNOME3 autorun Ubuntu 22.04 The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable autorun within GNOME3. Set GNOME3 Screensaver Inactivity Timeout Ubuntu 22.04 The allowed period of inactivity before the screensaver is activated. Set GNOME3 Screensaver Lock Delay After Activation Period Ubuntu 22.04 Idle activation of the screen lock should be enabled immediately or after a delay. Enable GNOME3 Screensaver Lock After Idle Period Ubuntu 22.04 Idle activation of the screen lock should be enabled. Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Ubuntu 22.04 Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. Verify '/proc/sys/crypto/fips_enabled' exists Ubuntu 22.04 Inspect the contents of /proc/sys/crypto/fips_enabled Build and Test AIDE Database Ubuntu 22.04 The aide database must be initialized. Configure AIDE to Verify the Audit Tools Ubuntu 22.04 The Ubuntu 22.04 operating system file integrity tool must be configured to protect the integrity of the audit tools. Configure Periodic Execution of AIDE Ubuntu 22.04 By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate Ubuntu 22.04 Checks sudo usage without authentication Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Ubuntu 22.04 Checks sudo usage without password Ensure Users Re-Authenticate for Privilege Escalation - sudo Ubuntu 22.04 Checks sudo usage without password Require Re-Authentication When Using the sudo Command Ubuntu 22.04 'Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout Ensure APT Removes Previous Package Versions Ubuntu 22.04 Configure APT to remove all software components after updated versions have been installed. Ensure PAM Enforces Password Requirements - Minimum Digit Characters Ubuntu 22.04 The password dcredit should meet minimum requirements Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words Ubuntu 22.04 The password dictcheck should meet minimum requirements Ensure PAM Enforces Password Requirements - Minimum Different Characters Ubuntu 22.04 The password difok should meet minimum requirements Ensure PAM Enforces Password Requirements - Enforcing Ubuntu 22.04 Check presence of enforcing = 1 in /etc/security/pwquality.conf Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters Ubuntu 22.04 The password lcredit should meet minimum requirements Set Password Maximum Consecutive Repeating Characters Ubuntu 22.04 The password maxrepeat should meet minimum requirements Limit the maximum number of sequential characters in passwords Ubuntu 22.04 The password maxsequence should meet minimum requirements Ensure PAM Enforces Password Requirements - Minimum Different Categories Ubuntu 22.04 The password minclass should meet minimum requirements Ensure PAM Enforces Password Requirements - Minimum Length Ubuntu 22.04 The password minlen should meet minimum requirements Ensure PAM Enforces Password Requirements - Minimum Special Characters Ubuntu 22.04 The password ocredit should meet minimum requirements Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters Ubuntu 22.04 The password ucredit should meet minimum requirements Enforce Delay After Failed Logon Attempts Ubuntu 22.04 Configure PAM module Lock Accounts After Failed Password Attempts Ubuntu 22.04 Lockout account after failed login attempts. Set Interval For Counting Failed Password Attempts Ubuntu 22.04 The number of allowed failed logins should be set correctly. Set Root Lockout Time for Failed Password Attempts Ubuntu 22.04 The unlock time after number of failed logins should be set correctly. Set Lockout Time for Failed Password Attempts Ubuntu 22.04 The unlock time after number of failed logins should be set correctly. Configure AIDE To Notify Personnel if Baseline Configurations Are Altered Ubuntu 22.04 Ensure 'SILENTREPORTS' is configured with value 'no' in /etc/default/aide Ensure AppArmor is Active and Configured Ubuntu 22.04 The apparmor service should be enabled if possible. Record Events that Modify the System's Discretionary Access Controls - chmod Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - chown Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - fchmod Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - fchmodat Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - fchown Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - fchownat Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - fremovexattr Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - fsetxattr Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - lchown Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - lremovexattr Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - lsetxattr Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - removexattr Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Events that Modify the System's Discretionary Access Controls - setxattr Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Any Attempts to Run chacl Ubuntu 22.04 Audit rules about the information on the use of chacl is enabled. Record Any Attempts to Run chcon Ubuntu 22.04 Audit rules about the information on the use of chcon is enabled. Record Any Attempts to Run setfacl Ubuntu 22.04 Audit rules about the information on the use of setfacl is enabled. Ensure auditd Collects File Deletion Events by User - rename Ubuntu 22.04 The deletion of files should be audited. Ensure auditd Collects File Deletion Events by User - renameat Ubuntu 22.04 The deletion of files should be audited. Ensure auditd Collects File Deletion Events by User - rmdir Ubuntu 22.04 The deletion of files should be audited. Ensure auditd Collects File Deletion Events by User - unlink Ubuntu 22.04 The deletion of files should be audited. Ensure auditd Collects File Deletion Events by User - unlinkat Ubuntu 22.04 The deletion of files should be audited. Ensure auditd Collects Information on Kernel Module Unloading - delete_module Ubuntu 22.04 The audit rules should be configured to log information about kernel module loading and unloading. Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module Ubuntu 22.04 The audit rules should be configured to log information about kernel module loading and unloading. Ensure auditd Collects Information on Kernel Module Loading - init_module Ubuntu 22.04 The audit rules should be configured to log information about kernel module loading and unloading. Record Attempts to Alter Logon and Logout Events - faillock Ubuntu 22.04 Check if actions on path specified in the 'var_accounts_passwords_pam_faillock_dir' variable are configured to be audited Record Attempts to Alter Logon and Logout Events - faillog Ubuntu 22.04 Check if actions on '/var/log/faillog' are configured to be audited Record Attempts to Alter Logon and Logout Events - lastlog Ubuntu 22.04 Check if actions on '/var/log/lastlog' are configured to be audited Record Events that Modify the System's Mandatory Access Controls (/etc/apparmor) Ubuntu 22.04 Check if actions on '/etc/apparmor' are configured to be audited Record Events that Modify the System's Mandatory Access Controls (/etc/apparmor.d) Ubuntu 22.04 Check if actions on '/etc/apparmor.d' are configured to be audited Ensure auditd Collects Information on Exporting to Media (successful) Ubuntu 22.04 The changing of file permissions and attributes should be audited. Record Any Attempts to Run apparmor_parser Ubuntu 22.04 Audit rules about the information on the use of apparmor_parser is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chage Ubuntu 22.04 Audit rules about the information on the use of chage is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chfn Ubuntu 22.04 Audit rules about the information on the use of chfn is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - chsh Ubuntu 22.04 Audit rules about the information on the use of chsh is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - crontab Ubuntu 22.04 Audit rules about the information on the use of crontab is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Ubuntu 22.04 Audit rules about the information on the use of gpasswd is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - mount Ubuntu 22.04 Audit rules about the information on the use of mount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Ubuntu 22.04 Audit rules about the information on the use of newgrp is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Ubuntu 22.04 Audit rules about the information on the use of pam_timestamp_check is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - passwd Ubuntu 22.04 Audit rules about the information on the use of passwd is enabled. Record Any Attempts to Run ssh-agent Ubuntu 22.04 Audit rules about the information on the use of ssh_agent is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Ubuntu 22.04 Audit rules about the information on the use of ssh_keysign is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - su Ubuntu 22.04 Audit rules about the information on the use of su is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudo Ubuntu 22.04 Audit rules about the information on the use of sudo is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit Ubuntu 22.04 Audit rules about the information on the use of sudoedit is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - umount Ubuntu 22.04 Audit rules about the information on the use of umount is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - unix_update Ubuntu 22.04 Audit rules about the information on the use of unix_update is enabled. Ensure auditd Collects Information on the Use of Privileged Commands - usermod Ubuntu 22.04 Audit rules about the information on the use of usermod is enabled. Record Attempts to Alter Process and Session Initiation Information btmp Ubuntu 22.04 Check if actions on '/var/log/btmp' are configured to be audited Record Attempts to Alter Process and Session Initiation Information utmp Ubuntu 22.04 Check if actions on '/var/run/utmp' are configured to be audited Record Attempts to Alter Process and Session Initiation Information wtmp Ubuntu 22.04 Check if actions on '/var/log/wtmp' are configured to be audited Ensure auditd Collects System Administrator Actions - /etc/sudoers Ubuntu 22.04 Check if actions on '/etc/sudoers' are configured to be audited Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ Ubuntu 22.04 Check if actions on '/etc/sudoers.d/' are configured to be audited Record Attempts to Alter the localtime File Ubuntu 22.04 Check if actions on '/etc/localtime' are configured to be audited Record Unsuccessful Access Attempts to Files - creat Ubuntu 22.04 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Record Unsuccessful Access Attempts to Files - ftruncate Ubuntu 22.04 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Record Unsuccessful Access Attempts to Files - open Ubuntu 22.04 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Record Unsuccessful Access Attempts to Files - open_by_handle_at Ubuntu 22.04 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Record Unsuccessful Access Attempts to Files - openat Ubuntu 22.04 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Record Unsuccessful Access Attempts to Files - truncate Ubuntu 22.04 Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. Record Events that Modify User/Group Information - /etc/group Ubuntu 22.04 Check if actions on '/etc/group' are configured to be audited Record Events that Modify User/Group Information - /etc/gshadow Ubuntu 22.04 Check if actions on '/etc/gshadow' are configured to be audited Record Events that Modify User/Group Information - /etc/nsswitch.conf Ubuntu 22.04 Check if actions on '/etc/nsswitch.conf' are configured to be audited Record Events that Modify User/Group Information - /etc/security/opasswd Ubuntu 22.04 Check if actions on '/etc/security/opasswd' are configured to be audited Record Events that Modify User/Group Information - /etc/pam.conf Ubuntu 22.04 Check if actions on '/etc/pam.conf' are configured to be audited Record Events that Modify User/Group Information - /etc/pam.d/ Ubuntu 22.04 Check if actions on '/etc/pam.d/' are configured to be audited Record Events that Modify User/Group Information - /etc/passwd Ubuntu 22.04 Check if actions on '/etc/passwd' are configured to be audited Record Events that Modify User/Group Information - /etc/shadow Ubuntu 22.04 Check if actions on '/etc/shadow' are configured to be audited Ensure auditd Collects records for events that affect "/var/log/journal" Ubuntu 22.04 Check if actions on '/var/log/journal/' are configured to be audited Record Attempts to perform maintenance activities Ubuntu 22.04 Check if actions on '/var/log/sudo.log' are configured to be audited Ensure Local Login Warning Banner Is Configured Properly Ubuntu 22.04 Check that /etc/issue does not contain OS and version information Ensure Remote Login Warning Banner Is Configured Properly Ubuntu 22.04 Check that /etc/issue.net does not contain OS and version information Ensure Message Of The Day Is Configured Properly Ubuntu 22.04 Check that /etc/motd does not contain OS and version information Synchronize internal information system clocks Ubuntu 22.04 Ensure 'makestep' is configured with value '1 -1' in /etc/chrony/chrony.conf Verify that Shared Library Directories Have Root Group Ownership Ubuntu 22.04 This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ is group owned by 0. Verify group-owner of system journal directories Ubuntu 22.04 This test makes sure that /run/log/journal/, /var/log/journal/ is group owned by systemd-journal. Verify that system commands directories are group owned by root Ubuntu 22.04 This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ is group owned by 0. Verify owner of system journal directories Ubuntu 22.04 This test makes sure that /run/log/journal/, /var/log/journal/ is owned by 0. Verify that System Executable Have Root Ownership Ubuntu 22.04 This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ is owned by 0. Verify that Shared Library Directories Have Root Ownership Ubuntu 22.04 This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ is owned by 0. Verify that System Executable Directories Have Restrictive Permissions Ubuntu 22.04 This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ has mode 0755. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on the system journal directories Ubuntu 22.04 This test makes sure that /run/log/journal/, /var/log/journal/ has mode 2750. If the target file or directory has an extended ACL, then it will fail the mode check. Disable Host-Based Authentication Ubuntu 22.04 Ensure 'HostbasedAuthentication' is configured with value 'no' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Ensure that /etc/at.allow exists Ubuntu 22.04 This test makes sure that/etc/at.allow does exist. Ensure that /etc/cron.allow exists Ubuntu 22.04 This test makes sure that/etc/cron.allow does exist. Ensure that /etc/cron.deny does not exist Ubuntu 22.04 This test makes sure that/etc/cron.deny does not exist. Verify Group Who Owns /etc/at.allow file Ubuntu 22.04 This test makes sure that /etc/at.allow is group owned by 0. Verify Group Who Owns /etc/at.deny file Ubuntu 22.04 This test makes sure that /etc/at.deny is group owned by 0. Verify Group Who Owns Backup group File Ubuntu 22.04 This test makes sure that /etc/group- is group owned by 0. Verify Group Who Owns Backup gshadow File Ubuntu 22.04 This test makes sure that /etc/gshadow- is group owned by 42. Verify Group Who Owns Backup passwd File Ubuntu 22.04 This test makes sure that /etc/passwd- is group owned by 0. Verify User Who Owns Backup shadow File Ubuntu 22.04 This test makes sure that /etc/shadow- is group owned by 42. Verify Group Who Owns /etc/cron.allow file Ubuntu 22.04 This test makes sure that /etc/cron.allow is group owned by crontab. Verify Group Who Owns cron.d Ubuntu 22.04 This test makes sure that /etc/cron.d/ is group owned by 0. Verify Group Who Owns cron.daily Ubuntu 22.04 This test makes sure that /etc/cron.daily/ is group owned by 0. Verify Group Who Owns cron.hourly Ubuntu 22.04 This test makes sure that /etc/cron.hourly/ is group owned by 0. Verify Group Who Owns cron.monthly Ubuntu 22.04 This test makes sure that /etc/cron.monthly/ is group owned by 0. Verify Group Who Owns cron.weekly Ubuntu 22.04 This test makes sure that /etc/cron.weekly/ is group owned by 0. Verify Group Who Owns Crontab Ubuntu 22.04 This test makes sure that /etc/crontab is group owned by 0. Verify Group Who Owns group File Ubuntu 22.04 This test makes sure that /etc/group is group owned by 0. Verify Group Who Owns gshadow File Ubuntu 22.04 This test makes sure that /etc/gshadow is group owned by 42. Verify Group Ownership of System Login Banner Ubuntu 22.04 This test makes sure that /etc/issue is group owned by 0. Verify Group Ownership of System Login Banner for Remote Connections Ubuntu 22.04 This test makes sure that /etc/issue.net is group owned by 0. Verify Group Ownership of Message of the Day Banner Ubuntu 22.04 This test makes sure that /etc/motd is group owned by 0. Verify Group Who Owns passwd File Ubuntu 22.04 This test makes sure that /etc/passwd is group owned by 0. Verify Group Who Owns /etc/security/opasswd File Ubuntu 22.04 This test makes sure that /etc/security/opasswd is group owned by 0. Verify Group Who Owns /etc/security/opasswd.old File Ubuntu 22.04 This test makes sure that /etc/security/opasswd.old is group owned by 0. Verify Group Who Owns shadow File Ubuntu 22.04 This test makes sure that /etc/shadow is group owned by 42. Verify Group Who Owns /etc/shells File Ubuntu 22.04 This test makes sure that /etc/shells is group owned by 0. Verify Groupowner on the journalctl command Ubuntu 22.04 This test makes sure that /usr/bin/journalctl is group owned by 0. Verify Group Who Owns SSH Server config file Ubuntu 22.04 This test makes sure that /etc/ssh/sshd_config is group owned by 0. Verify Group Who Owns the system journal Ubuntu 22.04 This test makes sure that /run/log/journal/, /var/log/journal/ is group owned by systemd-journal. Verify Group Who Owns /var/log Directory Ubuntu 22.04 This test makes sure that /var/log/ is group owned by syslog. Verify Group Who Owns /var/log/auth.log File Ubuntu 22.04 This test makes sure that /var/log/auth.log is group owned by adm or root. Verify Group Who Owns /var/log/cloud-init.log* File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by adm or root. Verify Group Who Owns /var/log/*.journal(~) File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by systemd-journal or root. Verify Group Who Owns /var/log/lastlog File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by utmp or root. Verify Group Who Owns /var/log/localmessages* File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by adm or root. Verify Group Who Owns /var/log/messages File Ubuntu 22.04 This test makes sure that /var/log/messages is group owned by 0. Verify Group Who Owns /var/log/secure File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by adm or root. Verify Group Who Owns /var/log/syslog File Ubuntu 22.04 This test makes sure that /var/log/syslog is group owned by 4. Verify Group Who Owns /var/log/waagent.log File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by adm or root. Verify Group Who Owns /var/log/(b|w)tmp(.*|-*) File Ubuntu 22.04 This test makes sure that /var/log/ is group owned by utmp or root. Verify that audit tools are owned by group root Ubuntu 22.04 This test makes sure that /sbin/auditctl, /sbin/aureport, /sbin/ausearch, /sbin/autrace, /sbin/auditd, /sbin/augenrules is group owned by 0. Audit Configuration Files Must Be Owned By Group root Ubuntu 22.04 This test makes sure that /etc/audit/, /etc/audit/rules.d/ is group owned by 0. Verify Groupownership of Files in /var/log/apt Ubuntu 22.04 This test makes sure that /var/log/apt/ is group owned by adm or root. Verify Groupownership of Files in /var/log/gdm Ubuntu 22.04 This test makes sure that /var/log/gdm/ is group owned by gdm or root. Verify Groupownership of Files in /var/log/gdm3 Ubuntu 22.04 This test makes sure that /var/log/gdm3/ is group owned by gdm or gdm3 or root. Verify Groupownership of Files in /var/log/landscape Ubuntu 22.04 This test makes sure that /var/log/landscape/ is group owned by root or landscape. Verify Grouponwership of Files in /var/log/sssd Ubuntu 22.04 This test makes sure that /var/log/sssd/ is group owned by sssd or root. Verify User Who Owns /etc/at.allow file Ubuntu 22.04 This test makes sure that /etc/at.allow is owned by 0. Verify User Who Owns /etc/at.deny file Ubuntu 22.04 This test makes sure that /etc/at.deny is owned by 0. Verify User Who Owns Backup group File Ubuntu 22.04 This test makes sure that /etc/group- is owned by 0. Verify User Who Owns Backup gshadow File Ubuntu 22.04 This test makes sure that /etc/gshadow- is owned by 0. Verify User Who Owns Backup passwd File Ubuntu 22.04 This test makes sure that /etc/passwd- is owned by 0. Verify Group Who Owns Backup shadow File Ubuntu 22.04 This test makes sure that /etc/shadow- is owned by 0. Verify User Who Owns /etc/cron.allow file Ubuntu 22.04 This test makes sure that /etc/cron.allow is owned by 0. Verify Owner on cron.d Ubuntu 22.04 This test makes sure that /etc/cron.d/ is owned by 0. Verify Owner on cron.daily Ubuntu 22.04 This test makes sure that /etc/cron.daily/ is owned by 0. Verify Owner on cron.hourly Ubuntu 22.04 This test makes sure that /etc/cron.hourly/ is owned by 0. Verify Owner on cron.monthly Ubuntu 22.04 This test makes sure that /etc/cron.monthly/ is owned by 0. Verify Owner on cron.weekly Ubuntu 22.04 This test makes sure that /etc/cron.weekly/ is owned by 0. Verify Owner on crontab Ubuntu 22.04 This test makes sure that /etc/crontab is owned by 0. Verify User Who Owns group File Ubuntu 22.04 This test makes sure that /etc/group is owned by 0. Verify User Who Owns gshadow File Ubuntu 22.04 This test makes sure that /etc/gshadow is owned by 0. Verify ownership of System Login Banner Ubuntu 22.04 This test makes sure that /etc/issue is owned by 0. Verify ownership of System Login Banner for Remote Connections Ubuntu 22.04 This test makes sure that /etc/issue.net is owned by 0. Verify ownership of Message of the Day Banner Ubuntu 22.04 This test makes sure that /etc/motd is owned by 0. Verify User Who Owns passwd File Ubuntu 22.04 This test makes sure that /etc/passwd is owned by 0. Verify User Who Owns /etc/security/opasswd File Ubuntu 22.04 This test makes sure that /etc/security/opasswd is owned by 0. Verify User Who Owns /etc/security/opasswd.old File Ubuntu 22.04 This test makes sure that /etc/security/opasswd.old is owned by 0. Verify User Who Owns shadow File Ubuntu 22.04 This test makes sure that /etc/shadow is owned by 0. Verify Who Owns /etc/shells File Ubuntu 22.04 This test makes sure that /etc/shells is owned by 0. Verify /boot/grub/grub.cfg User Ownership Ubuntu 22.04 This test makes sure that /boot/grub/grub.cfg is owned by 0. Verify Owner on the journalctl Command Ubuntu 22.04 This test makes sure that /usr/bin/journalctl is owned by 0. Verify Owner on SSH Server config file Ubuntu 22.04 This test makes sure that /etc/ssh/sshd_config is owned by 0. Verify Owner on the system journal Ubuntu 22.04 This test makes sure that /run/log/journal/, /var/log/journal/ is owned by 0. Verify User Who Owns /var/log Directory Ubuntu 22.04 This test makes sure that /var/log/ is owned by 0. Verify User Who Owns /var/log/auth.log File Ubuntu 22.04 This test makes sure that /var/log/auth.log is owned by syslog or root. Verify User Who Owns /var/log/cloud-init.log File Ubuntu 22.04 This test makes sure that /var/log/ is owned by syslog or root. Verify User Who Owns /var/log/*.journal(~) Files Ubuntu 22.04 This test makes sure that /var/log/ is owned by 0. Verify User Who Owns /var/log/lastlog File Ubuntu 22.04 This test makes sure that /var/log/ is owned by 0. Verify User Who Owns /var/log/localmessages File Ubuntu 22.04 This test makes sure that /var/log/ is owned by syslog or root. Verify User Who Owns /var/log/messages File Ubuntu 22.04 This test makes sure that /var/log/messages is owned by 0. Verify User Who Owns /var/log/secure File Ubuntu 22.04 This test makes sure that /var/log/ is owned by syslog or root. Verify User Who Owns /var/log/syslog File Ubuntu 22.04 This test makes sure that /var/log/syslog is owned by syslog. Verify User Who Owns /var/log/waagent.log File Ubuntu 22.04 This test makes sure that /var/log/ is owned by syslog or root. Verify User Who Owns /var/log/(b|w)tmp(.*|-*) File Ubuntu 22.04 This test makes sure that /var/log/ is owned by 0. Verify that audit tools are owned by root Ubuntu 22.04 This test makes sure that /sbin/auditctl, /sbin/aureport, /sbin/ausearch, /sbin/autrace, /sbin/auditd, /sbin/augenrules is owned by 0. Audit Configuration Files Must Be Owned By Root Ubuntu 22.04 This test makes sure that /etc/audit/, /etc/audit/rules.d/ is owned by 0. Verify that Shared Library Files Have Root Ownership Ubuntu 22.04 This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ is owned by 0. Verify Ownership of Files in /var/log/apt Ubuntu 22.04 This test makes sure that /var/log/apt/ is owned by 0. Verify Ownership of Files in /var/log/gdm Ubuntu 22.04 This test makes sure that /var/log/gdm/ is owned by 0. Verify Ownership of Files in /var/log/gdm3 Ubuntu 22.04 This test makes sure that /var/log/gdm3/ is owned by 0. Verify Ownership of Files in /var/log/landscape Ubuntu 22.04 This test makes sure that /var/log/landscape/ is owned by root or landscape. Verify Ownership of Files in /var/log/sssd Ubuntu 22.04 This test makes sure that /var/log/sssd/ is owned by sssd or root. Verify Permissions on /etc/at.allow file Ubuntu 22.04 This test makes sure that /etc/at.allow has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/at.deny file Ubuntu 22.04 This test makes sure that /etc/at.deny has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify that audit tools Have Mode 0755 or less Ubuntu 22.04 This test makes sure that /sbin/auditctl, /sbin/aureport, /sbin/ausearch, /sbin/autrace, /sbin/auditd, /sbin/augenrules has mode 0755. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on Backup group File Ubuntu 22.04 This test makes sure that /etc/group- has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on Backup gshadow File Ubuntu 22.04 This test makes sure that /etc/gshadow- has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on Backup passwd File Ubuntu 22.04 This test makes sure that /etc/passwd- has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on Backup shadow File Ubuntu 22.04 This test makes sure that /etc/shadow- has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/cron.allow file Ubuntu 22.04 This test makes sure that /etc/cron.allow has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on cron.d Ubuntu 22.04 This test makes sure that /etc/cron.d/ has mode 0700. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on cron.daily Ubuntu 22.04 This test makes sure that /etc/cron.daily/ has mode 0700. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on cron.hourly Ubuntu 22.04 This test makes sure that /etc/cron.hourly/ has mode 0700. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on cron.monthly Ubuntu 22.04 This test makes sure that /etc/cron.monthly/ has mode 0700. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on cron.weekly Ubuntu 22.04 This test makes sure that /etc/cron.weekly/ has mode 0700. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on crontab Ubuntu 22.04 This test makes sure that /etc/crontab has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/audit/auditd.conf Ubuntu 22.04 This test makes sure that /etc/audit/auditd.conf has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/audit/audit.rules Ubuntu 22.04 This test makes sure that /etc/audit/audit.rules has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/audit/rules.d/*.rules Ubuntu 22.04 This test makes sure that /etc/audit/rules.d/ has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on group File Ubuntu 22.04 This test makes sure that /etc/group has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on gshadow File Ubuntu 22.04 This test makes sure that /etc/gshadow has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify permissions on System Login Banner Ubuntu 22.04 This test makes sure that /etc/issue has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify permissions on System Login Banner for Remote Connections Ubuntu 22.04 This test makes sure that /etc/issue.net has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify permissions on Message of the Day Banner Ubuntu 22.04 This test makes sure that /etc/motd has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on passwd File Ubuntu 22.04 This test makes sure that /etc/passwd has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/security/opasswd File Ubuntu 22.04 This test makes sure that /etc/security/opasswd has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/security/opasswd.old File Ubuntu 22.04 This test makes sure that /etc/security/opasswd.old has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on shadow File Ubuntu 22.04 This test makes sure that /etc/shadow has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /etc/shells File Ubuntu 22.04 This test makes sure that /etc/shells has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify /boot/grub/grub.cfg Permissions Ubuntu 22.04 This test makes sure that /boot/grub/grub.cfg has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on the journal command Ubuntu 22.04 This test makes sure that /usr/bin/journalctl has mode 0740. If the target file or directory has an extended ACL, then it will fail the mode check. Verify that Shared Library Files Have Restrictive Permissions Ubuntu 22.04 This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ has mode 7755. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on SSH Server config file Ubuntu 22.04 This test makes sure that /etc/ssh/sshd_config has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on SSH Server Public *.pub Key Files Ubuntu 22.04 This test makes sure that /etc/ssh/ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on the system journal Ubuntu 22.04 This test makes sure that /run/log/journal/, /var/log/journal/ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on System.map Files Ubuntu 22.04 This test makes sure that /boot/ has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log Directory Ubuntu 22.04 This test makes sure that /var/log/ has mode 0755. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on files in the /var/log/apt/.* directory Ubuntu 22.04 This test makes sure that /var/log/apt/ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/auth.log File Ubuntu 22.04 This test makes sure that /var/log/auth.log has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/cloud-init.log(.*) Files Ubuntu 22.04 This test makes sure that /var/log/ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions of Files in /var/log/gdm Ubuntu 22.04 This test makes sure that /var/log/gdm/ has mode 0660. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions of Files in /var/log/gdm3 Ubuntu 22.04 This test makes sure that /var/log/gdm3/ has mode 0660. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/lastlog(.*) Files Ubuntu 22.04 This test makes sure that /var/log/ has mode 0664. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/localmessages(.*) Files Ubuntu 22.04 This test makes sure that /var/log/ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/messages File Ubuntu 22.04 This test makes sure that /var/log/messages has mode 0600. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/secure File Ubuntu 22.04 This test makes sure that /var/log/secure has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions of Files in /var/log/sssd Ubuntu 22.04 This test makes sure that /var/log/sssd/ has mode 0660. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/syslog File Ubuntu 22.04 This test makes sure that /var/log/syslog has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/waagent.log(.*) Files Ubuntu 22.04 This test makes sure that /var/log/ has mode 0644. If the target file or directory has an extended ACL, then it will fail the mode check. Verify Permissions on /var/log/wtmp(.*) Files Ubuntu 22.04 This test makes sure that /var/log/ has mode 0664. If the target file or directory has an extended ACL, then it will fail the mode check. Enable Auditing for Processes Which Start Prior to the Audit Daemon Ubuntu 22.04 Ensure audit=1 is configured in the kernel line in /etc/default/grub. Extend Audit Backlog Limit for the Audit Daemon Ubuntu 22.04 Ensure audit_backlog_limit is configured in the kernel line in /etc/default/grub. Install Smart Card Packages For Multifactor Authentication Ubuntu 22.04 The DPKG package libpam-pkcs11 should be installed. Ensure journald is configured to compress large log files Ubuntu 22.04 Ensure 'Compress' is configured with value 'yes' in section 'Journal' in /etc/systemd/journald.conf Ensure journald ForwardToSyslog is disabled Ubuntu 22.04 Ensure 'ForwardToSyslog' is configured with value 'no' in section 'Journal' in /etc/systemd/journald.conf Ensure journald is configured to write log files to persistent disk Ubuntu 22.04 Ensure 'Storage' is configured with value 'persistent' in section 'Journal' in /etc/systemd/journald.conf Disable Mounting of cramfs Ubuntu 22.04 The kernel module cramfs should be disabled. Disable DCCP Support Ubuntu 22.04 The kernel module dccp should be disabled. Disable Mounting of freevxfs Ubuntu 22.04 The kernel module freevxfs should be disabled. Disable Mounting of hfs Ubuntu 22.04 The kernel module hfs should be disabled. Disable Mounting of hfsplus Ubuntu 22.04 The kernel module hfsplus should be disabled. Disable Mounting of jffs2 Ubuntu 22.04 The kernel module jffs2 should be disabled. Disable RDS Support Ubuntu 22.04 The kernel module rds should be disabled. Disable SCTP Support Ubuntu 22.04 The kernel module sctp should be disabled. Disable Mounting of squashfs Ubuntu 22.04 The kernel module squashfs should be disabled. Disable TIPC Support Ubuntu 22.04 The kernel module tipc should be disabled. Disable Mounting of udf Ubuntu 22.04 The kernel module udf should be disabled. Disable Modprobe Loading of USB Storage Driver Ubuntu 22.04 The kernel module usb-storage should be disabled. Add nodev Option to /dev/shm Ubuntu 22.04 /dev/shm should be mounted with mount option nodev. Add noexec Option to /dev/shm Ubuntu 22.04 /dev/shm should be mounted with mount option noexec. Add nosuid Option to /dev/shm Ubuntu 22.04 /dev/shm should be mounted with mount option nosuid. Add nodev Option to /home Ubuntu 22.04 /home should be mounted with mount option nodev. Add nosuid Option to /home Ubuntu 22.04 /home should be mounted with mount option nosuid. Add nodev Option to /tmp Ubuntu 22.04 /tmp should be mounted with mount option nodev. Add noexec Option to /tmp Ubuntu 22.04 /tmp should be mounted with mount option noexec. Add nosuid Option to /tmp Ubuntu 22.04 /tmp should be mounted with mount option nosuid. Add nodev Option to /var/log/audit Ubuntu 22.04 /var/log/audit should be mounted with mount option nodev. Add noexec Option to /var/log/audit Ubuntu 22.04 /var/log/audit should be mounted with mount option noexec. Add nosuid Option to /var/log/audit Ubuntu 22.04 /var/log/audit should be mounted with mount option nosuid. Add nodev Option to /var/log Ubuntu 22.04 /var/log should be mounted with mount option nodev. Add noexec Option to /var/log Ubuntu 22.04 /var/log should be mounted with mount option noexec. Add nosuid Option to /var/log Ubuntu 22.04 /var/log should be mounted with mount option nosuid. Add nodev Option to /var Ubuntu 22.04 /var should be mounted with mount option nodev. Add nosuid Option to /var Ubuntu 22.04 /var should be mounted with mount option nosuid. Add nodev Option to /var/tmp Ubuntu 22.04 /var/tmp should be mounted with mount option nodev. Add noexec Option to /var/tmp Ubuntu 22.04 /var/tmp should be mounted with mount option noexec. Add nosuid Option to /var/tmp Ubuntu 22.04 /var/tmp should be mounted with mount option nosuid. Install AIDE Ubuntu 22.04 The DPKG package aide should be installed. Ensure AppArmor Utils is installed Ubuntu 22.04 The DPKG package apparmor-utils should be installed. Ensure AppArmor is installed Ubuntu 22.04 The DPKG package apparmor should be installed. Ensure the default plugins for the audit dispatcher are Installed Ubuntu 22.04 The DPKG package audispd-plugins should be installed. Ensure the audit Subsystem is Installed Ubuntu 22.04 The DPKG package auditd should be installed. Remove autofs Package Ubuntu 22.04 The DPKG package autofs should be removed. Uninstall avahi Server Package Ubuntu 22.04 The DPKG package avahi-daemon should be removed. Uninstall bind Package Ubuntu 22.04 The DPKG package bind9 should be removed. The Chrony package is installed Ubuntu 22.04 The DPKG package chrony should be installed. Install the cron service Ubuntu 22.04 The DPKG package cron should be installed. Uninstall CUPS Package Ubuntu 22.04 The DPKG package cups should be removed. package_dconf_installed Ubuntu 22.04 The DPKG package dconf-service should be installed. Uninstall DHCP Server Package Ubuntu 22.04 The DPKG package isc-dhcp-server should be removed. Uninstall dnsmasq Package Ubuntu 22.04 The DPKG package dnsmasq should be removed. Uninstall dovecot Package Ubuntu 22.04 The DPKG package dovecot-core should be removed. Remove ftp Package Ubuntu 22.04 The DPKG package ftp should be removed. package_gdm_installed Ubuntu 22.04 The DPKG package gdm3 should be installed. Remove the GDM Package Group Ubuntu 22.04 The DPKG package gdm3 should be removed. Uninstall apache2 Package Ubuntu 22.04 The DPKG package apache2 should be removed. Uninstall the inet-based telnet server Ubuntu 22.04 The DPKG package inetutils-telnetd should be removed. Install iptables-persistent Package Ubuntu 22.04 The DPKG package iptables-persistent should be installed. Remove iptables-persistent Package Ubuntu 22.04 The DPKG package iptables-persistent should be removed. Install iptables Package Ubuntu 22.04 The DPKG package iptables should be installed. Ensure logrotate is Installed Ubuntu 22.04 The DPKG package logrotate should be installed. Uninstall net-snmp Package Ubuntu 22.04 The DPKG package snmp should be removed. Uninstall nfs-kernel-server Package Ubuntu 22.04 The DPKG package nfs-kernel-server should be removed. Install nftables Package Ubuntu 22.04 The DPKG package nftables should be installed. Uninstall nginx Package Ubuntu 22.04 The DPKG package nginx should be removed. Uninstall the nis package Ubuntu 22.04 The DPKG package nis should be removed. Remove the ntp service Ubuntu 22.04 The DPKG package ntp should be removed. Uninstall the ntpdate package Ubuntu 22.04 The DPKG package ntpdate should be removed. Ensure LDAP client is not installed Ubuntu 22.04 The DPKG package ldap-utils should be removed. Uninstall openldap-servers Package Ubuntu 22.04 The DPKG package slapd should be removed. Install the opensc Package For Multifactor Authentication Ubuntu 22.04 The DPKG package opensc-pkcs11 should be installed. Install the OpenSSH Server Package Ubuntu 22.04 The DPKG package openssh-server should be installed. Remove the OpenSSH Server Package Ubuntu 22.04 The DPKG package openssh-server should be removed. Install pam-modules Package Ubuntu 22.04 The DPKG package libpam-modules should be installed. Install pam_pwquality Package Ubuntu 22.04 The DPKG package libpam-pwquality should be installed. Install pam-runtime Package Ubuntu 22.04 The DPKG package libpam-runtime should be installed. Package "prelink" Must not be Installed Ubuntu 22.04 The DPKG package prelink should be removed. Uninstall rpcbind Package Ubuntu 22.04 The DPKG package rpcbind should be removed. Uninstall rsh-server Package Ubuntu 22.04 The DPKG package rsh-server should be removed. Uninstall rsh Package Ubuntu 22.04 The DPKG package rsh-client should be removed. Uninstall rsync Package Ubuntu 22.04 The DPKG package rsync should be removed. Ensure rsyslog is Installed Ubuntu 22.04 The DPKG package rsyslog should be installed. Uninstall Samba Package Ubuntu 22.04 The DPKG package samba should be removed. Uninstall squid Package Ubuntu 22.04 The DPKG package squid should be removed. Install sudo Package Ubuntu 22.04 The DPKG package sudo should be installed. Install systemd-journal-remote Package Ubuntu 22.04 The DPKG package systemd-journal-remote should be installed. Uninstall talk Package Ubuntu 22.04 The DPKG package talk should be removed. Remove telnet Clients Ubuntu 22.04 The DPKG package telnet should be removed. Uninstall the ssl compliant telnet server Ubuntu 22.04 The DPKG package telnetd-ssl should be removed. Uninstall the telnet server Ubuntu 22.04 The DPKG package telnetd should be removed. Uninstall tftpd-hpa Package Ubuntu 22.04 The DPKG package tftpd-hpa should be removed. Install the systemd_timesyncd Service Ubuntu 22.04 The DPKG package systemd-timesyncd should be installed. Remove the systemd_timesyncd Service Ubuntu 22.04 The DPKG package systemd-timesyncd should be removed. Install ufw Package Ubuntu 22.04 The DPKG package ufw should be installed. Remove ufw Package Ubuntu 22.04 The DPKG package ufw should be removed. Uninstall vsftpd Package Ubuntu 22.04 The DPKG package vsftpd should be removed. Uninstall xinetd Package Ubuntu 22.04 The DPKG package xinetd should be removed. Remove the X Windows Package Group Ubuntu 22.04 The DPKG package xserver-common should be removed. Uninstall ypserv Package Ubuntu 22.04 The DPKG package ypserv should be removed. Ensure /dev/shm is configured Ubuntu 22.04 If stored locally, create a separate partition for /dev/shm. If /dev/shm will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /home Located On Separate Partition Ubuntu 22.04 If stored locally, create a separate partition for /home. If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /tmp Located On Separate Partition Ubuntu 22.04 If stored locally, create a separate partition for /tmp. If /tmp will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var Located On Separate Partition Ubuntu 22.04 If stored locally, create a separate partition for /var. If /var will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log Located On Separate Partition Ubuntu 22.04 If stored locally, create a separate partition for /var/log. If /var/log will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/log/audit Located On Separate Partition Ubuntu 22.04 If stored locally, create a separate partition for /var/log/audit. If /var/log/audit will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Ensure /var/tmp Located On Separate Partition Ubuntu 22.04 If stored locally, create a separate partition for /var/tmp. If /var/tmp will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at this time, and the mountpoint can instead be configured later. Verify permissions of log files Ubuntu 22.04 This test makes sure that /var/log/ has mode 0640. If the target file or directory has an extended ACL, then it will fail the mode check. Ensure Log Files Are Owned By Appropriate Group Ubuntu 22.04 All syslog log files should have appropriate ownership. Ensure Log Files Are Owned By Appropriate User Ubuntu 22.04 All syslog log files should have appropriate ownership. Ensure System Log Files Have Correct Permissions Ubuntu 22.04 All syslog log files should have appropriate ownership. Disable Apport Service Ubuntu 22.04 The apport service should be disabled. Enable auditd Service Ubuntu 22.04 The auditd service should be enabled if possible. Disable the Automounter Ubuntu 22.04 The autofs service should be disabled. Disable Avahi Server Software Ubuntu 22.04 The avahi-daemon service should be disabled. Disable Bluetooth Service Ubuntu 22.04 The bluetooth service should be disabled. The Chronyd service is disabled Ubuntu 22.04 The chrony service should be disabled. The Chronyd service is enabled Ubuntu 22.04 The chrony service should be enabled if possible. Enable cron Service Ubuntu 22.04 The cron service should be enabled if possible. Disable the CUPS Service Ubuntu 22.04 The cups service should be disabled. Disable DHCPD6 Service Ubuntu 22.04 The dhcpd6 service should be disabled. Disable DHCP Service Ubuntu 22.04 The dhcpd service should be disabled. Disable dnsmasq Service Ubuntu 22.04 The dnsmasq service should be disabled. Disable Dovecot Service Ubuntu 22.04 The dovecot service should be disabled. Disable apache2 Service Ubuntu 22.04 The apache2 service should be disabled. Disable KDump Kernel Crash Analyzer (kdump) Ubuntu 22.04 The kdump-tools service should be disabled. Disable Network File System (nfs) Ubuntu 22.04 The nfs-server service should be disabled. Verify nftables Service is Disabled Ubuntu 22.04 The nftables service should be disabled. Verify nftables Service is Enabled Ubuntu 22.04 The nftables service should be enabled if possible. Disable nginx Service Ubuntu 22.04 The nginx service should be disabled. Enable Postfix Service Ubuntu 22.04 The postfix service should be enabled if possible. Disable rpcbind Service Ubuntu 22.04 The rpcbind service should be disabled. Ensure rsyncd service is disabled Ubuntu 22.04 The rsyncd service should be disabled. Enable rsyslog Service Ubuntu 22.04 The rsyslog service should be enabled if possible. Disable LDAP Server (slapd) Ubuntu 22.04 The slapd service should be disabled. Disable Samba Ubuntu 22.04 The smbd service should be disabled. Disable snmpd Service Ubuntu 22.04 The snmpd service should be disabled. Disable Squid Ubuntu 22.04 The squid service should be disabled. Enable the OpenSSH Service Ubuntu 22.04 The ssh service should be enabled if possible. Enable systemd-journal-upload Service Ubuntu 22.04 The systemd-journal-upload service should be enabled if possible. Enable systemd-journald Service Ubuntu 22.04 The systemd-journald service should be enabled if possible. Disable tftpd-hpa Service Ubuntu 22.04 The tftpd-hpa service should be disabled. Disable systemd_timesyncd Service Ubuntu 22.04 The systemd-timesyncd service should be disabled. Enable systemd_timesyncd Service Ubuntu 22.04 The systemd-timesyncd service should be enabled if possible. Verify ufw Enabled Ubuntu 22.04 The ufw service should be enabled if possible. Disable vsftpd Service Ubuntu 22.04 The vsftpd service should be disabled. Disable xinetd Service Ubuntu 22.04 The xinetd service should be disabled. Disable ypserv Service Ubuntu 22.04 The ypserv service should be disabled. Disable systemd-journal-remote Socket Ubuntu 22.04 Disable systemd-journal-remote.socket Disable SSH Access via Empty Passwords Ubuntu 22.04 Ensure 'PermitEmptyPasswords' is configured with value 'no' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Disable SSH Forwarding Ubuntu 22.04 Ensure 'DisableForwarding' is configured with value 'yes' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Disable GSSAPI Authentication Ubuntu 22.04 Ensure 'GSSAPIAuthentication' is configured with value 'no' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Disable SSH Support for .rhosts Files Ubuntu 22.04 Ensure 'IgnoreRhosts' is configured with value 'yes' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Disable SSH Root Login Ubuntu 22.04 Ensure 'PermitRootLogin' is configured with value 'no' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Disable X11 Forwarding Ubuntu 22.04 Ensure 'X11Forwarding' is configured with value 'no' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Do Not Allow SSH Environment Options Ubuntu 22.04 Ensure 'PermitUserEnvironment' is configured with value 'no' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Enable PAM Ubuntu 22.04 Ensure 'UsePAM' is configured with value 'yes' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Enable Public Key Authentication Ubuntu 22.04 Ensure 'PubkeyAuthentication' is configured with value 'yes' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Enable SSH Warning Banner Ubuntu 22.04 Ensure 'Banner' is configured with value '/etc/issue.net' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Set SSH Client Alive Count Max Ubuntu 22.04 Ensure 'ClientAliveCountMax' is configured with value configured in var_sshd_set_keepalive variable in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Set LogLevel to INFO Ubuntu 22.04 Ensure 'LogLevel' is configured with value 'INFO' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Prevent remote hosts from connecting to the proxy display Ubuntu 22.04 Ensure 'X11UseLocalhost' is configured with value 'yes' in /etc/ssh/sshd_config or in /etc/ssh/sshd_config.d Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty Ubuntu 22.04 Checks sudoers Defaults use_pty configuration Ensure Sudo Logfile Exists - sudo logfile Ubuntu 22.04 Checks sudoers Defaults logfile configuration Enable Kernel Parameter to Enforce DAC on Hardlinks Ubuntu 22.04 The 'fs.protected_hardlinks' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Enforce DAC on Hardlinks Ubuntu 22.04 The kernel 'fs.protected_hardlinks' parameter should be set to 1 in the system runtime. Enable Kernel Parameter to Enforce DAC on Hardlinks Ubuntu 22.04 The kernel 'fs.protected_hardlinks' parameter should be set to 1 in the system configuration. Enable Kernel Parameter to Enforce DAC on Symlinks Ubuntu 22.04 The 'fs.protected_symlinks' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Enforce DAC on Symlinks Ubuntu 22.04 The kernel 'fs.protected_symlinks' parameter should be set to 1 in the system runtime. Enable Kernel Parameter to Enforce DAC on Symlinks Ubuntu 22.04 The kernel 'fs.protected_symlinks' parameter should be set to 1 in the system configuration. Disable Core Dumps for SUID programs Ubuntu 22.04 The 'fs.suid_dumpable' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Core Dumps for SUID programs Ubuntu 22.04 The kernel 'fs.suid_dumpable' parameter should be set to 0 in the system runtime. Disable Core Dumps for SUID programs Ubuntu 22.04 The kernel 'fs.suid_dumpable' parameter should be set to 0 in the system configuration. Restrict Access to Kernel Message Buffer Ubuntu 22.04 The 'kernel.dmesg_restrict' kernel parameter should be set to the appropriate value in system configuration and system runtime. Restrict Access to Kernel Message Buffer Ubuntu 22.04 The kernel 'kernel.dmesg_restrict' parameter should be set to 1 in the system runtime. Restrict Access to Kernel Message Buffer Ubuntu 22.04 The kernel 'kernel.dmesg_restrict' parameter should be set to 1 in the system configuration. Enable Randomized Layout of Virtual Address Space Ubuntu 22.04 The 'kernel.randomize_va_space' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Randomized Layout of Virtual Address Space Ubuntu 22.04 The kernel 'kernel.randomize_va_space' parameter should be set to 2 in the system runtime. Enable Randomized Layout of Virtual Address Space Ubuntu 22.04 The kernel 'kernel.randomize_va_space' parameter should be set to 2 in the system configuration. Restrict usage of ptrace to descendant processes Ubuntu 22.04 The 'kernel.yama.ptrace_scope' kernel parameter should be set to the appropriate value in system configuration and system runtime. Restrict usage of ptrace to descendant processes Ubuntu 22.04 The kernel 'kernel.yama.ptrace_scope' parameter should be set to 1 in the system runtime. Restrict usage of ptrace to descendant processes Ubuntu 22.04 The kernel 'kernel.yama.ptrace_scope' parameter should be set to 1 in the system configuration. Disable Accepting ICMP Redirects for All IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.all.accept_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Accepting ICMP Redirects for All IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.accept_redirects' parameter should be set to the appropriate value in the system runtime. Disable Accepting ICMP Redirects for All IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.accept_redirects' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.all.accept_source_route' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.accept_source_route' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.accept_source_route' parameter should be set to the appropriate value in the system configuration. Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.all.log_martians' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.log_martians' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.log_martians' parameter should be set to the appropriate value in the system configuration. Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.all.rp_filter' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.rp_filter' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.rp_filter' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.all.secure_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.secure_redirects' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.secure_redirects' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.all.send_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to 0 in the system runtime. Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to 0 in the system configuration. Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.conf.default.accept_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.default.accept_redirects' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.conf.default.accept_redirects' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Ubuntu 22.04 The 'net.ipv4.conf.default.accept_source_route' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.accept_source_route' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.accept_source_route' parameter should be set to the appropriate value in the system configuration. Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default Ubuntu 22.04 The 'net.ipv4.conf.default.log_martians' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.log_martians' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.log_martians' parameter should be set to the appropriate value in the system configuration. Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Ubuntu 22.04 The 'net.ipv4.conf.default.rp_filter' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.rp_filter' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.rp_filter' parameter should be set to the appropriate value in the system configuration. Configure Kernel Parameter for Accepting Secure Redirects By Default Ubuntu 22.04 The 'net.ipv4.conf.default.secure_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime. Configure Kernel Parameter for Accepting Secure Redirects By Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.secure_redirects' parameter should be set to the appropriate value in the system runtime. Configure Kernel Parameter for Accepting Secure Redirects By Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.secure_redirects' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default Ubuntu 22.04 The 'net.ipv4.conf.default.send_redirects' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to 0 in the system runtime. Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to 0 in the system configuration. Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.icmp_echo_ignore_broadcasts' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.icmp_echo_ignore_broadcasts' parameter should be set to the appropriate value in the system configuration. Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.icmp_ignore_bogus_error_responses' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.icmp_ignore_bogus_error_responses' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces Ubuntu 22.04 The 'net.ipv4.ip_forward' kernel parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.ip_forward' parameter should be set to 0 in the system runtime. Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces Ubuntu 22.04 The kernel 'net.ipv4.ip_forward' parameter should be set to 0 in the system configuration. Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces Ubuntu 22.04 The 'net.ipv4.tcp_syncookies' kernel parameter should be set to the appropriate value in system configuration and system runtime. Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces Ubuntu 22.04 The kernel 'net.ipv4.tcp_syncookies' parameter should be set to the appropriate value in the system runtime. Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces Ubuntu 22.04 The kernel 'net.ipv4.tcp_syncookies' parameter should be set to the appropriate value in the system configuration. Configure Accepting Router Advertisements on All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in system configuration and system runtime. Configure Accepting Router Advertisements on All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in the system runtime. Configure Accepting Router Advertisements on All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in the system configuration. Disable Accepting ICMP Redirects for All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in system configuration and system runtime. Disable Accepting ICMP Redirects for All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in the system runtime. Disable Accepting ICMP Redirects for All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in the system configuration. Disable IPv6 Addressing on All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to 1 in the system runtime. Disable IPv6 Addressing on All IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to 1 in the system configuration. Disable Kernel Parameter for IPv6 Forwarding Ubuntu 22.04 The kernel 'net.ipv6.conf.all.forwarding' parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for IPv6 Forwarding Ubuntu 22.04 The kernel 'net.ipv6.conf.all.forwarding' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for IPv6 Forwarding Ubuntu 22.04 The kernel 'net.ipv6.conf.all.forwarding' parameter should be set to the appropriate value in the system configuration. Disable Accepting Router Advertisements on all IPv6 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in system configuration and system runtime. Disable Accepting Router Advertisements on all IPv6 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in the system runtime. Disable Accepting Router Advertisements on all IPv6 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in the system configuration. Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in system configuration and system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in the system runtime. Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Ubuntu 22.04 The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in the system configuration. Verify that 'use_mappers' is set to 'pwent' in PAM Ubuntu 22.04 Check presence of use_mappers = pwent in /etc/pam_pkcs11/pam_pkcs11.conf Check that vlock is installed to allow session locking Ubuntu 22.04 The DPKG package vlock should be installed. Enable Auditing to Start Prior to the Audit Daemon in zIPL Ubuntu 22.04 Ensure audit=1 option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well. Extend Audit Backlog Limit for the Audit Daemon in zIPL Ubuntu 22.04 Ensure audit_backlog_limit=8192 option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well. Check pam_pwquality Existence in system-auth Ubuntu 22.04 Check that pam_pwquality.so exists in system-auth Test if auditctl is in use for audit rules Ubuntu 22.04 Test if auditctl is in use for audit rules. Test if augenrules is enabled for audit rules Ubuntu 22.04 Test if augenrules is enabled for audit rules. Record Events that Modify the System's Network Environment Ubuntu 22.04 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. Record Events that Modify the System's Network Environment Ubuntu 22.04 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. 'log_file' Not Set In /etc/audit/auditd.conf Ubuntu 22.04 Verify 'log_file' is not set in /etc/audit/auditd.conf. 'log_group' Not Set To 'root' In /etc/audit/auditd.conf Ubuntu 22.04 Verify 'log_group' is not set to 'root' in /etc/audit/auditd.conf. Ubuntu 22.04 Bootable container or bootc system Verify GRUB_DISABLE_RECOVERY Set to true Ubuntu 22.04 GRUB_DISABLE_RECOVERY set to 'true' in /etc/default/grub SSHD is not required to be installed or requirement not set Ubuntu 22.04 If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. SSHD is required to be installed or requirement not set Ubuntu 22.04 If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. It doesn't matter if sshd is installed or not Ubuntu 22.04 Test if value sshd_required is 0. Kernel Runtime Parameter IPv6 Check Ubuntu 22.04 Disables IPv6 for all network interfaces. Test for 64-bit Architecture Ubuntu 22.04 Generic test for 64-bit architectures to be used by other tests Test for aarch_64 Architecture Ubuntu 22.04 Generic test for aarch_64 architecture to be used by other tests Test for PPC and PPCLE Architecture Ubuntu 22.04 Generic test for PPC PPC64LE architecture to be used by other tests Test for s390_64 Architecture Ubuntu 22.04 Generic test for s390_64 architecture to be used by other tests Test for x86_64 Architecture Ubuntu 22.04 Generic test for x86_64 architecture to be used by other tests Value of 'var_accounts_user_umask' variable represented as octal number Ubuntu 22.04 Value of 'var_accounts_user_umask' variable represented as octal number ^/etc/audit/rules\.d/.*\.rules$ ^\-e\s+2\s*$ 1 /etc/audit/audit.rules ^\-e\s+2\s*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/networks[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/networks[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w[\s]+/etc/network/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/network/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ 1 /etc/audit/audit.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\b.*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\b.*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+euid!=uid[\s]+-F[\s]+auid!=unset[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+uid!=euid[\s]+-F[\s]+euid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+execve[\s]+-C[\s]+gid!=egid[\s]+-F[\s]+egid=0[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /var/log/audit /var/log/audit oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 /var/log/audit/audit.log oval:ssg-state_group_owner_not_root_var_log_audit:ste:1 oval:ssg-file_group_ownership_var_log_audit_stig_state_group_owner_not_root:ste:1 /var/log/audit/audit.log oval:ssg-file_group_ownership_var_log_audit_stig_state_group_owner_not_root:ste:1 oval:ssg-state_owner_not_root_var_log_audit:ste:1 /var/log/audit ^.*$ oval:ssg-state_owner_not_root_var_log_audit:ste:1 oval:ssg-state_not_mode_0600:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0600:ste:1 oval:ssg-state_not_mode_0640:ste:1 /var/log/audit ^.*$ oval:ssg-state_not_mode_0640:ste:1 ^.*$ oval:ssg-state_file_permissions_var_log_audit_stig_not_mode_0600:ste:1 /var/log/audit/ ^.*$ oval:ssg-state_file_permissions_var_log_audit_stig_not_mode_0600:ste:1 ^(?!/proc(/.*|$)).*$ oval:ssg-state_audit_rules_privileged_commands_dev_partitons:ste:1 oval:ssg-state_audit_rules_privileged_commands_nosuid_partitons:ste:1 oval:ssg-state_audit_rules_privileged_commands_noexec_partitons:ste:1 ^\w+ oval:ssg-state_setuid_or_setgid_set:ste:1 oval:ssg-state_dracut_tmp_files:ste:1 / ^\w+ oval:ssg-state_setuid_or_setgid_set:ste:1 oval:ssg-state_dracut_tmp_files:ste:1 oval:ssg-state_audit_rules_privileged_commands_sysroot:ste:1 oval:ssg-var_audit_rules_privileged_commands_priv_cmds_count:var:1 oval:ssg-var_audit_rules_privileged_commands_priv_cmds_count_bootc:var:1 ^/etc/audit/rules\.d/.*\.rules$ 1 oval:ssg-state_unprivileged_commands:ste:1 ^/etc/audit/rules\.d/.*\.rules$ 1 oval:ssg-state_unprivileged_commands_bootc:ste:1 /etc/audit/audit.rules 1 oval:ssg-state_unprivileged_commands:ste:1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-w[\s]+/sbin/fdisk[\s]+-p[\s]+x([\s]+-k[\s]+[\S]+)?[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+/sbin/fdisk[\s]+-p[\s]+x([\s]+-k[\s]+[\S]+)?[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-w[\s]+/bin/kmod[\s]+-p[\s]+x([\s]+-k[\s]+[\S]+)?[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+/bin/kmod[\s]+-p[\s]+x([\s]+-k[\s]+[\S]+)?[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/kmod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-w[\s]+/sbin/modprobe[\s]+-p[\s]+x\b.*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+/sbin/modprobe[\s]+-p[\s]+x\b.*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audisp-remote.conf ^[ ]*(?i)remote_server(?-i)[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/plugins.d/au-remote.conf ^[ ]*(?i)active(?-i)[ ]+=[ ]+(yes)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 /etc/audit/auditd.conf ^[\s]*space_left[\s]+=[\s]+(\d+)%[\s]*$ 1 /etc/cron.weekly/audit-offload ^.*$ 1 /etc/apt/apt.conf(\.d/.*)?$ ^[^#]*(?i)AllowUnauthenticated(?-i)(.*)$ 1 tcp 127.0.0.1 25 oval:ssg-ste_not_port_25:ste:1 oval:ssg-ste_not_on_localhost:ste:1 tcp 127.0.0.1 465 oval:ssg-ste_not_port_465:ste:1 oval:ssg-ste_not_on_localhost:ste:1 tcp 127.0.0.1 587 oval:ssg-ste_not_port_587:ste:1 oval:ssg-ste_not_on_localhost:ste:1 /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*(.*)[\s]*$ 1 /etc/chrony/chrony.conf 1 /etc/chrony/chrony.conf 1 /etc/ntp.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 ^(/etc/chrony/chrony\.conf|/etc/chrony/conf\.d/.+\.conf)$ ^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/ntp.conf ^server[\s]+[\S]+[\s]+(.*) 1 ^(/etc/chrony/chrony\.conf|/etc/chrony/conf\.d/.+\.conf)$ ^(?:server|pool|peer)[\s]+[\S]+[\s]+(.*) 1 /etc/chrony/chrony.conf ^[ \t]*user[[:space:]](.+?)[ \t]*(?:$|#) 1 /etc/chrony/chrony.conf ^[ \t]*user[[:space:]] 1 ^(chrony|systemd-timesyncd).service$ ActiveState oval:ssg-ste_ntp_single_service_active_timesync_services:ste:1 oval:ssg-var_ntp_single_service_active_timesync_active_count:var:1 /etc/systemd/timesyncd.conf 1 /etc/systemd/timesyncd.conf.d ^.*\.conf$ 1 /root ^\.rhosts$ /home ^\.rhosts$ /etc ^hosts\.equiv$ /etc/ssh .*_key$ oval:ssg-exclude_symlinks__sshd_private_key:ste:1 oval:ssg-filter_ssh_key_owner_root:ste:1 ^\/etc\/ssh\/sshd_config.*$ (?i)^[ ]*AllowUsers[ ]+((?:[^ \n]+[ ]*)+)$ 1 ^/etc/ssh/sshd_config.*$ (?i)^[ ]*AllowGroups[ ]+((?:[^ \n]+[ ]*)+)$ 1 ^/etc/ssh/sshd_config.*$ (?i)^[ ]*DenyUsers[ ]+((?:[^ \n]+[ ]*)+)$ 1 ^/etc/ssh/sshd_config.*$ (?i)^[ ]*DenyGroups[ ]+((?:[^ \n]+[ ]*)+)$ 1 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ 1 /etc/ssh/sshd_config.d .*\.conf$ ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$ 1 oval:ssg-object_sshd_idle_timeout:obj:1 oval:ssg-object_sshd_idle_timeout_config_dir:obj:1 /etc/ssh/sshd_config ^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$ 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)LoginGraceTime(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-object_sshd_login_grace_time:obj:1 oval:ssg-obj_sshd_set_login_grace_time_config_dir:obj:1 /etc/ssh/sshd_config ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$ 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)MaxAuthTries(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-object_sshd_max_auth_tries:obj:1 oval:ssg-obj_sshd_set_max_auth_tries_config_dir:obj:1 /etc/ssh/sshd_config ^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$ 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)MaxSessions(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-object_sshd_max_sessions:obj:1 oval:ssg-obj_sshd_set_max_sessions_config_dir:obj:1 /etc/(ssh|ssh/sshd_config.d) (sshd_config|.*\.conf)$ (?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$ 1 /etc/(ssh|ssh/sshd_config.d) (sshd_config|.*\.conf)$ (?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$ 1 /etc/(ssh|ssh/sshd_config.d) (sshd_config|.*\.conf)$ (?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$ 1 /etc/ssh/sshd_config ^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_use_approved_ciphers_ordered_stig:obj:1 oval:ssg-obj_sshd_use_approved_ciphers_ordered_stig_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)KexAlgorithms(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_use_approved_kex_ordered_stig:obj:1 oval:ssg-obj_sshd_use_approved_kex_ordered_stig_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)MACs(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_use_approved_macs_ordered_stig:obj:1 oval:ssg-obj_sshd_use_approved_macs_ordered_stig_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)Ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)Ciphers(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_use_strong_ciphers:obj:1 oval:ssg-obj_sshd_use_strong_ciphers_config_dir:obj:1 oval:ssg-var_sshd_config_kex:var:1 /etc/ssh/sshd_config ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 oval:ssg-var_sshd_config_kex_config_dir:var:1 /etc/ssh/sshd_config.d .*\.conf$ ^[\s]*(?i)KexAlgorithms(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 oval:ssg-obj_sshd_config_kex:obj:1 oval:ssg-obj_sshd_config_kex_config_dir:obj:1 oval:ssg-var_sshd_config_strong_macs:var:1 /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 oval:ssg-var_sshd_config_macs_config_dir:var:1 /etc/ssh/sshd_config.d .*\.conf$ ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:#.*)?$ 1 oval:ssg-obj_sshd_config_strong_macs:obj:1 oval:ssg-obj_sshd_config_macs_config_dir:obj:1 ^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$ ^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*(\d+)\s*(?:#.*)?$ 1 ^/etc/issue\.net$ ^(.*)$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-enable$ 1 /etc/gdm3/greeter.dconf-defaults ^\[org/gnome/login-screen\]([^\n]*\n+)+?banner-message-enable=true$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^banner-message-text=\s*'([^']*)'$ 1 /etc/gdm3/greeter.dconf-defaults ^banner-message-text=\s*'([^']*)'$ 1 /etc/pam.d/common-auth ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$ 1 /etc/pam.d/common-account ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$ 1 /etc/pam.d/common-password ^[\s]*password[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$ 1 /etc/pam.d/common-session ^[\s]*session[\s]+(required|\[(?=.*?\bsuccess=\d+\b)?(?=.*?\bnew_authtok_reqd=ok\b)?(?=.*?\bdefault=ignore\b)?.*\])[\s]+pam_unix\.so.*$ 1 /etc/pam.d/common-password ^[\s]*password[\s]+((?:\[success=\d+\s+default=ignore\])|(?:requisite)|(?:required))[\s]+pam_pwhistory\.so[\s]+.*$ 1 /etc/pam.d/common-password 1 /etc/pam.d/common-password ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\benforce_for_root\b.*$ 1 /etc/pam.d/common-password 1 /etc/pam.d/common-password ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\bremember=([0-9]*)\b.*$ 1 /etc/pam.d/common-password ^[^#\n\r]*password[ \t]+.*pam_pwhistory\.so.*$ 1 oval:ssg-accounts_password_pam_pwhistory_use_authtok_obj_use_authtok_password_lines_except_first_common-password:obj:1 oval:ssg-accounts_password_pam_pwhistory_use_authtok_ste_use_authtok_pam_pwhistory_lines:ste:1 /etc/pam.d/common-password ^[ \t]*password[ \t]+(.+)$ 2 /etc/pam.d/common-password ^[ \t]*password[ \t]+[^#\n\r]+[ \t]+pam_unix\.so.*$ 1 oval:ssg-obj_accounts_password_pam_unix_authtok_password_lines_not_initial_common-password:obj:1 oval:ssg-ste_accounts_password_pam_unix_authtok_pam_unix_lines:ste:1 /etc/pam.d/common-password ^[ \t]*password[ \t]+(.+)$ 2 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/security/faillock.conf 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/security/faillock.conf 1 ^/etc/security/pwquality.conf$ ^enforce_for_root$ 1 /etc/pam.d/common-password ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ 1 /etc/pam.d/common-password ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ 1 /etc/security/pwquality.conf ^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$) 1 /etc/login.defs .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n 1 oval:ssg-variable_last_encrypt_method_instance_value:var:1 /etc/pam.d/common-password ^[\s]*password[\s]+(?:\[success=\d+\s+default=ignore\])[\s]+pam_unix\.so[\s]+(?!.*\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\b[^#]*\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\b)[^#]*\b(sha512|yescrypt|gost_yescrypt|blowfish|sha256|md5|bigcrypt)\b.*$ 1 /etc/systemd/system/ctrl-alt-del.target /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=\s*(.*);$ 1 /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=(.*)$ 1 /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=\s*(.*);$ 1 /etc/pam.d/common-auth ^\s*auth\s+\[.*\]\s+pam_pkcs11.so(?:\s|$) 1 .* oval:ssg-variable_count_of_all_uids:var:1 /etc/group ^.+:.+:(\d+):.*$ 1 oval:ssg-variable_count_of_all_group_ids:var:1 /etc/group ^(.+):.+ 1 oval:ssg-variable_count_of_all_group_names:var:1 /etc/shells ^[^#]*/nologin\b.*$ 1 /etc/default/useradd ^\s*INACTIVE\s*=\s*(\d+)\s*$ 1 /etc/passwd ^([^:]+):.*$ 1 oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 /etc/group ^shadow:.*:.*:(.*)$ 1 /etc/passwd 1 /etc/login.defs ^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_max_days_instance_value:var:1 /etc/login.defs .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_min_days_instance_value:var:1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){2}(\d+):(?:[^:]*:){3}(?:[^:]*)$ 1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){2}(\d+):(?:[^:]*:){3}(?:[^:]*)$ 1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:){2}():(?:[^:]*:){3}(?:[^:]*)$ 1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:)(\d+):(?:[^:]*:){4}(?:[^:]*)$ 1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:)(\d+):(?:[^:]*:){4}(?:[^:]*)$ 1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:)():(?:[^:]*:){4}(?:[^:]*)$ 1 /etc/login.defs .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n 1 oval:ssg-variable_last_pass_warn_age_instance_value:var:1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){4}(\d+):(?:[^:]*:)(?:[^:]*)$ 1 /etc/shadow ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){4}(\d+):(?:[^:]*:)(?:[^:]*)$ 1 .* .* oval:ssg-state_accounts_password_all_chage_past_has_no_password:ste:1 oval:ssg-var_accounts_password_last_change_is_in_past_time_diff:var:1 ^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$ ^\s*password\s+(?:(?:sufficient)|(?:required)|(?:\[.*\]))\s+pam_unix\.so[^#]+\bremember=\d+\b.*$ 1 /etc/group ^[^:]+:[^:]+:([0-9]+): 1 /etc/passwd ^[^:]+:[^:]+:[0-9]+:([0-9]+): 1 /etc/passwd ^.*?:[^:]*:([^:]*):.*$ 1 oval:ssg-var_num_duplicate_uids_in_etc_passwd:var:1 ^/etc/pam.d/common-password ^[^#]*\bnullok\b.*$ 1 /etc/shadow ^[^:]+::.*$ 1 ^/etc/pam.d/common-(password|auth|account|session|session-noninteractive)$ ^[^#]*\bnullok\b.*$ 1 oval:ssg-object_no_forward_files_objects_others:obj:1 .* oval:ssg-state_no_forward_files_users_uids:ste:1 oval:ssg-state_no_forward_files_users_ignored:ste:1 oval:ssg-state_no_forward_files_users_nologin_shell:ste:1 \.forward$ /home ^\.netrc$ /etc/passwd ^(?!root:)[^:]*:[^:]*:0 1 /etc/passwd ^root:.+:\d+:(\d+).+ 1 /etc/passwd ^(?!\b(root|sync|shutdown|halt|operator)\b).+:.+:\d+:0:.+$ 1 /etc/group 1 /etc/shadow ^root:(\$(y|[0-9].+)\$).*$ 1 /etc/group ^(?!root:)[^:]*:[^:]*:0 1 /etc/shells ^\/[^\n\r]*$ 1 oval:ssg-filter_no_invalid_shell_accounts_unlocked_not_valid_shell:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d+:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_no_invalid_shell_accounts_unlocked_users_ignored:ste:1 oval:ssg-state_no_invalid_shell_accounts_unlocked_locked_accounts:ste:1 /etc/shadow ^([^:]*):(?:[ \t\n\r\:\;\*\!\\]*):(?:[^:]*:){6}$ 1 /etc/login.defs .*(?:^|\n)\s*(UID_MIN[\s]+[\d]+)\s*(?:$|\n) 1 /etc/login.defs .*(?:^|\n)\s*(SYS_UID_MIN[\s]+[\d]+)\s*(?:$|\n) 1 /etc/login.defs .*(?:^|\n)\s*(SYS_UID_MAX[\s]+[\d]+)\s*(?:$|\n) 1 /etc/passwd ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/bin\/false|\/usr\/bin\/false).*$ 1 /etc/shadow ^root:([^:]*):(?:[^:]*:){6}(?:[^:]*)$ 1 /etc/pam.d/su ^\s*auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)[^#]*\bgroup=([_a-z][-0-9_a-z]*) 1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins 1 /etc/bash.bashrc ^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$ 1 /etc/profile ^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$ 1 /etc/profile.d ^.*\.sh$ ^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$ 1 oval:ssg-object_etc_profile_tmout:obj:1 oval:ssg-object_etc_profiled_tmout:obj:1 oval:ssg-variable_count_of_tmout_instances:var:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_accounts_user_dot_group_ownership_home_dirs_users_ignored:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_accounts_user_dot_group_ownership_gids_users_ignored:ste:1 ^\..* /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_accounts_user_dot_user_ownership_home_dirs_users_ignored:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_accounts_user_dot_user_ownership_uids_users_ignored:ste:1 ^\..* /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_accounts_user_interactive_home_directory_exists_objects_users_ignored:ste:1 oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1 oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_file_groupownership_home_directories_home_dirs_users_ignored:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_file_groupownership_home_directories_gids_users_ignored:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_file_ownership_home_directories_home_dirs_users_ignored:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_file_ownership_home_directories_uids_users_ignored:ste:1 oval:ssg-var_file_ownership_home_directories_uids_count:var:1 .bash_history oval:ssg-object_file_permission_user_bash_history_objects_others:obj:1 .* oval:ssg-state_file_permission_user_bash_history_users_uids:ste:1 oval:ssg-state_file_permission_user_bash_history_users_ignored:ste:1 oval:ssg-state_file_permission_user_bash_history_users_nologin_shell:ste:1 oval:ssg-object_file_permission_user_init_files_objects_others:obj:1 .* oval:ssg-state_file_permission_user_init_files_users_uids:ste:1 oval:ssg-state_file_permission_user_init_files_users_ignored:ste:1 oval:ssg-state_file_permission_user_init_files_users_nologin_shell:ste:1 /etc/passwd 1 /etc/passwd ^([^:]*):[^:]*:\d{4,}:(?:[^:]*:){3}(?!(\/usr)?(\/sbin\/nologin|\/bin\/false))[^:]*$ 1 oval:ssg-state_object_file_permissions_home_directories_objects_users_ignored:ste:1 PATH oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 PATH oval:ssg-state_accounts_root_path_dirs_not_owned_by_root:ste:1 oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 PATH oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 oval:ssg-var_accounts_root_path_existing_count:var:1 PATH /etc/bash.bashrc ^[^#]*\bumask\s+(\d{3})\s*$ 1 oval:ssg-var_etc_bashrc_umask_as_number:var:1 /etc/login.defs ^[\s]*UMASK[\s]+([^#\s]*) 1 oval:ssg-var_etc_login_defs_umask_as_number:var:1 ^\/etc\/profile(?:\.d\/.*\.sh|\.d\/sh\.local)?$ ^[\s]*umask[\s]+([^#\s]*) 1 oval:ssg-var_etc_profile_umask_as_number:var:1 ^(/root/.bashrc|/root/.profile)$ ^[^#]*\bumask\s+[0-7]?[0-7]([0-1][0-7]|[0-7][0-6])\s*$ 1 /sys/kernel/security/apparmor/profiles ^(.*)$ 1 /sys/kernel/security/apparmor/profiles ^.*(\(enforce\))$ 1 /sys/kernel/security/apparmor/profiles ^.*(\(complain\))$ 1 oval:ssg-all_apparmor_profiles_in_enforce_complain_mode_var_num_apparmor_profiles:var:1 /boot/grub/grub.cfg ^\s*linux\b.*(?!/boot/memtest86\+\.bin).*\bapparmor=1\b.*$ 1 /boot/grub/grub.cfg ^\s*linux\b.*(?!/boot/memtest86\+\.bin).*\bsecurity=apparmor\b.*$ 1 /boot/grub/grub.cfg ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ 1 /boot/grub/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 /boot/grub/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /boot/grub/grub.cfg ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$ 1 /boot/grub/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 /etc/localtime ^/etc/rsyslog\.(conf|d/.+\.conf)$ ^[^#\n]*auth(,\w+)*\.\*[^\n]*$ 1 ^/etc/rsyslog\.(conf|d/.+\.conf)$ ^[^#\n]*authpriv(,\w+)*\.\*[^\n]*$ 1 ^/etc/rsyslog\.(conf|d/.+\.conf)$ ^[^#\n]*daemon(,\w+)*\.\*[^\n]*$ 1 ^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$ ^\[Upload\](?:[^\n]*\n+)+?^\h*ServerKeyFile\h*=\h*(.*)\h*$ 1 ^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$ ^\[Upload\](?:[^\n]*\n+)+?^\h*ServerCertificateFile\h*=\h*(.*)\h*$ 1 ^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$ ^\[Upload\](?:[^\n]*\n+)+?^\h*TrustedCertificateFile\h*=\h*(.*)\h*$ 1 ^/etc/systemd/journal-upload.conf(\.d/[^/]+\.conf)?$ ^\[Upload\](?:[^\n]*\n+)+?^\h*URL\h*=\h*(.*)\h*$ 1 /etc/logrotate.conf ^\s*daily[\s#]*$ 1 /etc/logrotate.conf ^\s*(weekly|monthly|yearly)[\s#]*$ 1 /etc/cron.daily/logrotate ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ 1 ^[\s]*include[\s]+\"([^\s]+)"$ 1 ^.*$ 1 /proc/net/wireless ^\s*\S+:\s 1 .* oval:ssg-state_dir_perms_world_writable_sticky_bits_dev_partitons:ste:1 oval:ssg-state_dir_perms_world_writable_sticky_bits:ste:1 .* oval:ssg-state_file_permissions_unauthorized_world_writable_dev_partitons:ste:1 ^.*$ oval:ssg-state_file_permissions_unauthorized_world_write:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_special_selinux_files:ste:1 oval:ssg-state_file_permissions_unauthorized_world_write_sysroot:ste:1 /etc/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 /usr/lib/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 oval:ssg-object_etc_group:obj:1 oval:ssg-object_usr_lib_group:obj:1 .* oval:ssg-state_file_permissions_ungroupowned_dev_partitons:ste:1 .* oval:ssg-state_file_permissions_ungroupowned_local_group_owner:ste:1 oval:ssg-state_file_permissions_ungroupowned_sysroot:ste:1 .* oval:ssg-state_file_permissions_ungroupowned_local_group_owner_with_usrlib:ste:1 oval:ssg-state_file_permissions_ungroupowned_sysroot:ste:1 /etc/nsswitch.conf ^\s*group:\s+(.*)$ 1 nss-altfiles /etc/group ^adm:\w+:(\w+):.* 1 /var/log .* oval:ssg-file_groupownerships_var_log_exclude_symlinks:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_apt:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_auth_log:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_bwtmp:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_cloudinit:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_gdm:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_journal:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_landscape:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_lastlog:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_localmessages:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_messages:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_secure:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_sssd:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_syslog:ste:1 oval:ssg-file_groupownerships_var_log_exclude_files_waagent:ste:1 /etc/group 1 /etc/passwd 1 /etc/passwd ^[^:]+:[^:]*:(\d\d?\d?):.*$ 1 /etc/passwd ^syslog:[^:]+:([0-9]+): 1 /var/log .* oval:ssg-file_ownerships_var_log_exclude_symlinks:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_apt:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_auth_log:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_bwtmp:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_cloudinit:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_gdm:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_journal:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_landscape:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_lastlog:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_localmessages:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_messages:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_secure:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_sssd:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_syslog:ste:1 oval:ssg-file_ownerships_var_log_exclude_files_waagent:ste:1 ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin ^.*$ oval:ssg-state_groupowner_system_commands_dirs_not_system_group_not_sgid:ste:1 oval:ssg-state_groupowner_system_commands_dirs_symlink:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin oval:ssg-state_owner_binaries_not_root:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin ^.*$ oval:ssg-state_owner_binaries_not_system_accounts:ste:1 ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1 oval:ssg-state_perms_binary_files_symlink:ste:1 ^/(|usr/)lib(|64)$ ^.*$ oval:ssg-state_groupowner_binaries_not_system_accounts:ste:1 oval:ssg-state_groupowner_root_path_dirs_symlink:ste:1 /etc/security/limits.conf ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\S]+) 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\S]+) 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core 1 /proc/cpuinfo ^flags[\s]+:.*[\s]+nx[\s]+.*$ 1 /proc/cmdline .+noexec[0-9]*=off.+ 1 ^(?!\/boot(?:\/efi)?$).* oval:ssg-state_encrypted_partitions:ste:1 oval:ssg-state_non_temporary_partitions:ste:1 oval:ssg-state_non_pseudo_file_systems:ste:1 /etc/crypttab ^\s*(\S+) 1 /etc/dconf/profile/gdm (?ms)^\s*user-db:user\s*.*\n\s*system-db:gdm\s*$ 1 /etc/dconf/profile/user (?ms)^\s*user-db:user\s*.*\n\s*system-db:local\s*$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen\]([^\n]*\n+)+?disable-user-list=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-user-list$ 1 /etc/gdm3/custom.conf ^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) 1 ^/etc/gdm3/custom.conf /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount-open$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/autorun-never$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/session\]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/ ^.*$ ^idle-delay[\s=]*uint32[\s]([^=\s]*) 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/ ^.*$ ^lock-delay[\s=]*uint32[\s]([^=\s]*) 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver\]([^\n]*\n+)+?lock-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/media-keys\]([^\n]*\n+)+?logout[\s]*=[\s]*\[''\]$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/media-keys/logout$ 1 /proc/sys/crypto/fips_enabled ^.*$ 1 /etc/aide/aide.conf ^@@define[\s]DBDIR[\s]+(/.*)$ 1 /etc/aide/aide.conf ^database=file:(?:@@{DBDIR}/)?([a-z./]+)$ 1 /etc/aide/aide.conf ^database_out=file:@@{DBDIR}/([a-z.]+)$ 1 /etc/aide/aide.conf ^database_out=file:([a-z./]+)$ 1 /etc/aide/aide.conf ^(?:/usr)?/sbin/auditctl\s+([^\n]+)$ 1 /etc/aide/aide.conf ^(?:/usr)?/sbin/auditd\s+([^\n]+)$ 1 /etc/aide/aide.conf ^(?:/usr)?/sbin/ausearch\s+([^\n]+)$ 1 /etc/aide/aide.conf ^(?:/usr)?/sbin/aureport\s+([^\n]+)$ 1 /etc/aide/aide.conf ^(?:/usr)?/sbin/autrace\s+([^\n]+)$ 1 /etc/aide/aide.conf ^(?:/usr)?/sbin/augenrules\s+([^\n]+)$ 1 /var/spool/cron/crontabs/root aide(\.wrapper)? 1 /etc/cron\.(daily|hourly|weekly) ^.*$ ^(?:\/usr\/bin\/)?aide(\.wrapper)? 1 /etc/crontab [^\s]+\s+[^\s]+\s+\*(?:\/[1-7])*\s+\*\s+[^\s]+\s+(?:\/usr\/bin\/)?aide(\.wrapper)?\s+[^\s]+\s+(?=-C|--check).* 1 aidecheck.service UnitFileState aidecheck.timer UnitFileState aidecheck.timer ActiveState /etc/sudoers ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 ^\/etc\/(sudoers|sudoers\.d\/.*)$ ^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$ 1 ^\/etc\/(sudoers|sudoers\.d\/.*)$ ^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$ 1 ^/etc/apt/apt.conf.*$ ^(?i)[\s]*Unattended-Upgrade::Remove-Unused-Dependencies(?-i)(=|[\s]+)\"(yes|true|1)\";.*$ 1 ^/etc/apt/apt.conf.*$ ^(?i)[\s]*Unattended-Upgrade::Remove-Unused-Kernel-Packages(?-i)(=|[\s]+)\"(yes|true|1)\";.*$ 1 ^/etc/security/pwquality.conf$ ^\s*dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*difok[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/security/pwquality.conf ^[\s]*enforcing = 1[\s]*$ 1 ^/etc/security/pwquality.conf$ ^\s*lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*maxsequence[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 ^/etc/security/pwquality.conf$ ^\s*ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 /etc/pam.d/common-auth ^\s*auth\s+required\s+pam_faildelay.so.*\sdelay=(-?\d+)(?:\s+.*)? 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/security/faillock.conf 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/security/faillock.conf 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/security/faillock.conf 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-auth 1 /etc/pam.d/common-account 1 /etc/pam.d/common-auth 1 /etc/security/faillock.conf 1 /etc/default/aide ^\s*SILENTREPORTS=(.+?)[ \t]*(?:$|#) 1 ^/etc/default/aide multi-user.target multi-user.target ^apparmor\.(socket|service)$ ActiveState apparmor ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid=0[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/setfacl(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295))\s+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/apparmor_parser(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/sbin\/apparmor_parser(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chfn(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chfn(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/ssh-agent(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/lib\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/lib\/openssh\/ssh-keysign(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_update(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_update(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usermod(?:[\s]+-F[\s]+perm=x)[\s]+-F[\s]+auid>=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 ^/etc/audit/rules\.d/.*\.rules$ 1 /etc/audit/audit.rules 1 /etc/issue ^.+$ 1 /etc/issue (\\v|\\r|\\m|\\s|ubuntu2204) 1 /etc/issue.net ^.+$ 1 /etc/issue.net (\\v|\\r|\\m|\\s|ubuntu2204) 1 /etc/motd (\\v|\\r|\\m|\\s|ubuntu2204) 1 /etc/chrony/chrony.conf ^\s*makestep (.+?)[ \t]*(?:$|#) 1 ^/etc/chrony/chrony.conf /lib oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 /lib64 oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 /usr/lib oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 /usr/lib64 oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_0_0:ste:1 /etc/group ^systemd-journal:\w+:(\w+):.* 1 /usr/lib/group ^systemd-journal:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerdir_groupowner_system_journal_systemd-journal_gid_etc:obj:1 oval:ssg-object_file_groupownerdir_groupowner_system_journal_systemd-journal_gid_usr:obj:1 /run/log/journal oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupowner_system_journal_0_systemd-journal:ste:1 /var/log/journal oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupowner_system_journal_0_systemd-journal:ste:1 /bin oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupownership_binary_dirs_0_0:ste:1 /sbin oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupownership_binary_dirs_0_0:ste:1 /usr/bin oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupownership_binary_dirs_0_0:ste:1 /usr/sbin oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupownership_binary_dirs_0_0:ste:1 /usr/local/bin oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupownership_binary_dirs_0_0:ste:1 /usr/local/sbin oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerdir_groupownership_binary_dirs_0_0:ste:1 /run/log/journal oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_owner_system_journal_0_0:ste:1 /var/log/journal oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_owner_system_journal_0_0:ste:1 /bin oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_0_0:ste:1 /sbin oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_0_0:ste:1 /usr/bin oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_0_0:ste:1 /usr/sbin oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_0_0:ste:1 /usr/local/bin oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_0_0:ste:1 /usr/local/sbin oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_binary_dirs_0_0:ste:1 /lib oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 /lib64 oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 /usr/lib oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 /usr/lib64 oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerdir_ownership_library_dirs_0_0:ste:1 /bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_0_mode_0755or_stricter_:ste:1 /sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_1_mode_0755or_stricter_:ste:1 /usr/bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_2_mode_0755or_stricter_:ste:1 /usr/sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_3_mode_0755or_stricter_:ste:1 /usr/local/bin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_4_mode_0755or_stricter_:ste:1 /usr/local/sbin oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1 oval:ssg-state_file_permissionsdir_permissions_binary_dirs_5_mode_0755or_stricter_:ste:1 /run/log/journal oval:ssg-exclude_symlinks_dir_permissions_system_journal:ste:1 oval:ssg-state_file_permissionsdir_permissions_system_journal_0_mode_2750or_stricter_:ste:1 /var/log/journal oval:ssg-exclude_symlinks_dir_permissions_system_journal:ste:1 oval:ssg-state_file_permissionsdir_permissions_system_journal_1_mode_2750or_stricter_:ste:1 /etc/ssh/sshd_config ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_disable_host_auth:obj:1 oval:ssg-obj_disable_host_auth_config_dir:obj:1 /etc/at.allow /etc/cron.allow /etc/cron.deny /etc/at.allow oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_at_allow_0_0:ste:1 /etc/at.deny oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_at_deny_0_0:ste:1 /etc/group- oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_backup_etc_group_0_0:ste:1 /etc/gshadow- oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_backup_etc_gshadow_0_42:ste:1 /etc/passwd- oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_backup_etc_passwd_0_0:ste:1 /etc/shadow- oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_backup_etc_shadow_0_42:ste:1 /etc/group ^crontab:\w+:(\w+):.* 1 /usr/lib/group ^crontab:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_cron_allow_crontab_gid_etc:obj:1 oval:ssg-object_file_groupowner_cron_allow_crontab_gid_usr:obj:1 /etc/cron.allow oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_cron_allow_0_crontab:ste:1 /etc/cron.d oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_cron_d_0_0:ste:1 /etc/cron.daily oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_cron_daily_0_0:ste:1 /etc/cron.hourly oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_cron_hourly_0_0:ste:1 /etc/cron.monthly oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_cron_monthly_0_0:ste:1 /etc/cron.weekly oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_cron_weekly_0_0:ste:1 /etc/crontab oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_crontab_0_0:ste:1 /etc/group oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_group_0_0:ste:1 /etc/gshadow oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_gshadow_0_42:ste:1 /etc/issue oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_issue_0_0:ste:1 /etc/issue.net oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_issue_net_0_0:ste:1 /etc/motd oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_motd_0_0:ste:1 /etc/passwd oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_passwd_0_0:ste:1 /etc/security/opasswd oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_security_opasswd_0_0:ste:1 /etc/security/opasswd.old oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_security_opasswd_old_0_0:ste:1 /etc/shadow oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_shadow_0_42:ste:1 /etc/shells oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_etc_shells_0_0:ste:1 /usr/bin/journalctl oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_journalctl_0_0:ste:1 /etc/ssh/sshd_config oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_sshd_config_0_0:ste:1 /etc/group ^systemd-journal:\w+:(\w+):.* 1 /usr/lib/group ^systemd-journal:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_system_journal_systemd-journal_gid_etc:obj:1 oval:ssg-object_file_groupowner_system_journal_systemd-journal_gid_usr:obj:1 /run/log/journal ^.*$ oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_system_journal_0_systemd-journal:ste:1 /var/log/journal ^.*$ oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_system_journal_0_systemd-journal:ste:1 /etc/group ^syslog:\w+:(\w+):.* 1 /usr/lib/group ^syslog:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_syslog_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_syslog_gid_usr:obj:1 /var/log oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_0_syslog:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /usr/lib/group ^adm:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_auth_adm_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_auth_adm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_auth_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_auth_root_gid_usr:obj:1 /var/log/auth.log oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_auth_0_adm:ste:1 oval:ssg-state_file_groupowner_var_log_auth_1_root:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /usr/lib/group ^adm:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_cloud_init_adm_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_cloud_init_adm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_cloud_init_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_cloud_init_root_gid_usr:obj:1 /var/log .*cloud-init\.log.* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_cloud_init_0_adm:ste:1 oval:ssg-state_file_groupowner_var_log_cloud_init_1_root:ste:1 /etc/group ^systemd-journal:\w+:(\w+):.* 1 /usr/lib/group ^systemd-journal:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_journal_systemd-journal_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_journal_systemd-journal_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_journal_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_journal_root_gid_usr:obj:1 /var/log .*\.journal[~]? oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_journal_0_systemd-journal:ste:1 oval:ssg-state_file_groupowner_var_log_journal_1_root:ste:1 /etc/group ^utmp:\w+:(\w+):.* 1 /usr/lib/group ^utmp:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_lastlog_utmp_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_lastlog_utmp_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_lastlog_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_lastlog_root_gid_usr:obj:1 /var/log .*lastlog(\.[^\/]+)? oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_lastlog_0_utmp:ste:1 oval:ssg-state_file_groupowner_var_log_lastlog_1_root:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /usr/lib/group ^adm:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_localmessages_adm_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_localmessages_adm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_localmessages_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_localmessages_root_gid_usr:obj:1 /var/log .*localmessages.* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_localmessages_0_adm:ste:1 oval:ssg-state_file_groupowner_var_log_localmessages_1_root:ste:1 /var/log/messages oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_messages_0_0:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /usr/lib/group ^adm:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_secure_adm_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_secure_adm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_secure_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_secure_root_gid_usr:obj:1 /var/log .*secure(.*[-\.].*)? oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_secure_0_adm:ste:1 oval:ssg-state_file_groupowner_var_log_secure_1_root:ste:1 /var/log/syslog oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_syslog_0_4:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /usr/lib/group ^adm:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_waagent_adm_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_waagent_adm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_waagent_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_waagent_root_gid_usr:obj:1 /var/log .*waagent.log.* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_waagent_0_adm:ste:1 oval:ssg-state_file_groupowner_var_log_waagent_1_root:ste:1 /etc/group ^utmp:\w+:(\w+):.* 1 /usr/lib/group ^utmp:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_wbtmp_utmp_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_wbtmp_utmp_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupowner_var_log_wbtmp_root_gid_etc:obj:1 oval:ssg-object_file_groupowner_var_log_wbtmp_root_gid_usr:obj:1 /var/log .*(b|w)tmp((\.|-)[^\/]+)? oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupowner_var_log_wbtmp_0_utmp:ste:1 oval:ssg-state_file_groupowner_var_log_wbtmp_1_root:ste:1 /sbin/auditctl oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_binaries_0_0:ste:1 /sbin/aureport oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_binaries_0_0:ste:1 /sbin/ausearch oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_binaries_0_0:ste:1 /sbin/autrace oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_binaries_0_0:ste:1 /sbin/auditd oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_binaries_0_0:ste:1 /sbin/augenrules oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_binaries_0_0:ste:1 /etc/audit ^.*audit(\.rules|d\.conf)$ oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_configuration_0_0:ste:1 /etc/audit/rules.d ^.*\.rules$ oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownership_audit_configuration_0_0:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /usr/lib/group ^adm:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_apt_adm_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_apt_adm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_apt_root_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_apt_root_gid_usr:obj:1 /var/log/apt .* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerships_var_log_apt_0_adm:ste:1 oval:ssg-state_file_groupownerships_var_log_apt_1_root:ste:1 /etc/group ^gdm:\w+:(\w+):.* 1 /usr/lib/group ^gdm:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_gdm_gdm_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_gdm_gdm_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_gdm_root_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_gdm_root_gid_usr:obj:1 /var/log/gdm .* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerships_var_log_gdm_0_gdm:ste:1 oval:ssg-state_file_groupownerships_var_log_gdm_1_root:ste:1 /etc/group ^gdm:\w+:(\w+):.* 1 /usr/lib/group ^gdm:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_gdm3_gdm_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_gdm3_gdm_gid_usr:obj:1 /etc/group ^gdm3:\w+:(\w+):.* 1 /usr/lib/group ^gdm3:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_gdm3_gdm3_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_gdm3_gdm3_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_gdm3_root_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_gdm3_root_gid_usr:obj:1 /var/log/gdm3 .* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerships_var_log_gdm3_0_gdm:ste:1 oval:ssg-state_file_groupownerships_var_log_gdm3_1_gdm3:ste:1 oval:ssg-state_file_groupownerships_var_log_gdm3_2_root:ste:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_landscape_root_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_landscape_root_gid_usr:obj:1 /etc/group ^landscape:\w+:(\w+):.* 1 /usr/lib/group ^landscape:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_landscape_landscape_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_landscape_landscape_gid_usr:obj:1 /var/log/landscape ^.*$ oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerships_var_log_landscape_0_root:ste:1 oval:ssg-state_file_groupownerships_var_log_landscape_1_landscape:ste:1 /etc/group ^sssd:\w+:(\w+):.* 1 /usr/lib/group ^sssd:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_sssd_sssd_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_sssd_sssd_gid_usr:obj:1 /etc/group ^root:\w+:(\w+):.* 1 /usr/lib/group ^root:\w+:(\w+):.* 1 oval:ssg-object_file_groupownerships_var_log_sssd_root_gid_etc:obj:1 oval:ssg-object_file_groupownerships_var_log_sssd_root_gid_usr:obj:1 /var/log/sssd .* oval:ssg-symlink_file_groupowner:ste:1 oval:ssg-state_file_groupownerships_var_log_sssd_0_sssd:ste:1 oval:ssg-state_file_groupownerships_var_log_sssd_1_root:ste:1 /etc/at.allow oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_at_allow_0_0:ste:1 /etc/at.deny oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_at_deny_0_0:ste:1 /etc/group- oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_backup_etc_group_0_0:ste:1 /etc/gshadow- oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_backup_etc_gshadow_0_0:ste:1 /etc/passwd- oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_backup_etc_passwd_0_0:ste:1 /etc/shadow- oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_backup_etc_shadow_0_0:ste:1 /etc/cron.allow oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_cron_allow_0_0:ste:1 /etc/cron.d oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_cron_d_0_0:ste:1 /etc/cron.daily oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_cron_daily_0_0:ste:1 /etc/cron.hourly oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_cron_hourly_0_0:ste:1 /etc/cron.monthly oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_cron_monthly_0_0:ste:1 /etc/cron.weekly oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_cron_weekly_0_0:ste:1 /etc/crontab oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_crontab_0_0:ste:1 /etc/group oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_group_0_0:ste:1 /etc/gshadow oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_gshadow_0_0:ste:1 /etc/issue oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_issue_0_0:ste:1 /etc/issue.net oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_issue_net_0_0:ste:1 /etc/motd oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_motd_0_0:ste:1 /etc/passwd oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_passwd_0_0:ste:1 /etc/security/opasswd oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_security_opasswd_0_0:ste:1 /etc/security/opasswd.old oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_security_opasswd_old_0_0:ste:1 /etc/shadow oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_shadow_0_0:ste:1 /etc/shells oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_etc_shells_0_0:ste:1 /boot/grub/grub.cfg oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_grub2_cfg_0_0:ste:1 /usr/bin/journalctl oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_journalctl_0_0:ste:1 /etc/ssh/sshd_config oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_sshd_config_0_0:ste:1 /run/log/journal ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_system_journal_0_0:ste:1 /var/log/journal ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_system_journal_0_0:ste:1 /var/log oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_0_0:ste:1 syslog root /var/log/auth.log oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_auth_0_syslog:ste:1 oval:ssg-state_file_owner_var_log_auth_1_root:ste:1 syslog root /var/log .*cloud-init\.log.* oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_cloud_init_0_syslog:ste:1 oval:ssg-state_file_owner_var_log_cloud_init_1_root:ste:1 /var/log .*\.journal(~)?$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_journal_0_0:ste:1 /var/log .*lastlog(\.[^\/]+)?$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_lastlog_0_0:ste:1 syslog root /var/log .*localmessages.* oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_localmessages_0_syslog:ste:1 oval:ssg-state_file_owner_var_log_localmessages_1_root:ste:1 /var/log/messages oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_messages_0_0:ste:1 syslog root /var/log .*secure(.*[-\.].*)? oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_secure_0_syslog:ste:1 oval:ssg-state_file_owner_var_log_secure_1_root:ste:1 syslog /var/log/syslog oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_syslog_0_syslog:ste:1 syslog root /var/log .*waagent.log.* oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_waagent_0_syslog:ste:1 oval:ssg-state_file_owner_var_log_waagent_1_root:ste:1 /var/log .*(b|w)tmp((\.|-)[^\/]+)?$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_owner_var_log_wbtmp_0_0:ste:1 /sbin/auditctl oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_binaries_0_0:ste:1 /sbin/aureport oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_binaries_0_0:ste:1 /sbin/ausearch oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_binaries_0_0:ste:1 /sbin/autrace oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_binaries_0_0:ste:1 /sbin/auditd oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_binaries_0_0:ste:1 /sbin/augenrules oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_binaries_0_0:ste:1 /etc/audit ^.*audit(\.rules|d\.conf)$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_configuration_0_0:ste:1 /etc/audit/rules.d ^.*\.rules$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_audit_configuration_0_0:ste:1 /lib ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 /lib64 ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 /usr/lib ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 /usr/lib64 ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownership_library_dirs_0_0:ste:1 /var/log/apt ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerships_var_log_apt_0_0:ste:1 /var/log/gdm .* oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerships_var_log_gdm_0_0:ste:1 /var/log/gdm3 .* oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerships_var_log_gdm3_0_0:ste:1 root landscape /var/log/landscape ^.*$ oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerships_var_log_landscape_0_root:ste:1 oval:ssg-state_file_ownerships_var_log_landscape_1_landscape:ste:1 sssd root /var/log/sssd .* oval:ssg-symlink_file_owner:ste:1 oval:ssg-state_file_ownerships_var_log_sssd_0_sssd:ste:1 oval:ssg-state_file_ownerships_var_log_sssd_1_root:ste:1 /etc/at.allow oval:ssg-exclude_symlinks__at_allow:ste:1 oval:ssg-state_file_permissions_at_allow_0_mode_0640or_stricter_:ste:1 /etc/at.deny oval:ssg-exclude_symlinks__at_deny:ste:1 oval:ssg-state_file_permissions_at_deny_0_mode_0640or_stricter_:ste:1 /sbin/auditctl oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_0_mode_0755or_stricter_:ste:1 /sbin/aureport oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_1_mode_0755or_stricter_:ste:1 /sbin/ausearch oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_2_mode_0755or_stricter_:ste:1 /sbin/autrace oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_3_mode_0755or_stricter_:ste:1 /sbin/auditd oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_4_mode_0755or_stricter_:ste:1 /sbin/augenrules oval:ssg-exclude_symlinks__audit_binaries:ste:1 oval:ssg-state_file_permissions_audit_binaries_5_mode_0755or_stricter_:ste:1 /etc/group- oval:ssg-exclude_symlinks__backup_etc_group:ste:1 oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1 /etc/gshadow- oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1 oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0640or_stricter_:ste:1 /etc/passwd- oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1 oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1 /etc/shadow- oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1 oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0640or_stricter_:ste:1 /etc/cron.allow oval:ssg-exclude_symlinks__cron_allow:ste:1 oval:ssg-state_file_permissions_cron_allow_0_mode_0640or_stricter_:ste:1 /etc/cron.d oval:ssg-exclude_symlinks__cron_d:ste:1 oval:ssg-state_file_permissions_cron_d_0_mode_0700or_stricter_:ste:1 /etc/cron.daily oval:ssg-exclude_symlinks__cron_daily:ste:1 oval:ssg-state_file_permissions_cron_daily_0_mode_0700or_stricter_:ste:1 /etc/cron.hourly oval:ssg-exclude_symlinks__cron_hourly:ste:1 oval:ssg-state_file_permissions_cron_hourly_0_mode_0700or_stricter_:ste:1 /etc/cron.monthly oval:ssg-exclude_symlinks__cron_monthly:ste:1 oval:ssg-state_file_permissions_cron_monthly_0_mode_0700or_stricter_:ste:1 /etc/cron.weekly oval:ssg-exclude_symlinks__cron_weekly:ste:1 oval:ssg-state_file_permissions_cron_weekly_0_mode_0700or_stricter_:ste:1 /etc/crontab oval:ssg-exclude_symlinks__crontab:ste:1 oval:ssg-state_file_permissions_crontab_0_mode_0600or_stricter_:ste:1 /etc/audit/auditd.conf oval:ssg-exclude_symlinks__etc_audit_auditd:ste:1 oval:ssg-state_file_permissions_etc_audit_auditd_0_mode_0640or_stricter_:ste:1 /etc/audit/audit.rules oval:ssg-exclude_symlinks__etc_audit_rules:ste:1 oval:ssg-state_file_permissions_etc_audit_rules_0_mode_0640or_stricter_:ste:1 /etc/audit/rules.d ^.*rules$ oval:ssg-exclude_symlinks__etc_audit_rulesd:ste:1 oval:ssg-state_file_permissions_etc_audit_rulesd_0_mode_0600or_stricter_:ste:1 /etc/group oval:ssg-exclude_symlinks__etc_group:ste:1 oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1 /etc/gshadow oval:ssg-exclude_symlinks__etc_gshadow:ste:1 oval:ssg-state_file_permissions_etc_gshadow_0_mode_0640or_stricter_:ste:1 /etc/issue oval:ssg-exclude_symlinks__etc_issue:ste:1 oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1 /etc/issue.net oval:ssg-exclude_symlinks__etc_issue_net:ste:1 oval:ssg-state_file_permissions_etc_issue_net_0_mode_0644or_stricter_:ste:1 /etc/motd oval:ssg-exclude_symlinks__etc_motd:ste:1 oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1 /etc/passwd oval:ssg-exclude_symlinks__etc_passwd:ste:1 oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1 /etc/security/opasswd oval:ssg-exclude_symlinks__etc_security_opasswd:ste:1 oval:ssg-state_file_permissions_etc_security_opasswd_0_mode_0600or_stricter_:ste:1 /etc/security/opasswd.old oval:ssg-exclude_symlinks__etc_security_opasswd_old:ste:1 oval:ssg-state_file_permissions_etc_security_opasswd_old_0_mode_0600or_stricter_:ste:1 /etc/shadow oval:ssg-exclude_symlinks__etc_shadow:ste:1 oval:ssg-state_file_permissions_etc_shadow_0_mode_0640or_stricter_:ste:1 /etc/shells oval:ssg-exclude_symlinks__etc_shells:ste:1 oval:ssg-state_file_permissions_etc_shells_0_mode_0644or_stricter_:ste:1 /boot/grub/grub.cfg oval:ssg-exclude_symlinks__grub2_cfg:ste:1 oval:ssg-state_file_permissions_grub2_cfg_0_mode_0600or_stricter_:ste:1 /usr/bin/journalctl oval:ssg-exclude_symlinks__journalctl:ste:1 oval:ssg-state_file_permissions_journalctl_0_mode_0740or_stricter_:ste:1 /lib ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1 /lib64 ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1 /usr/lib ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1 /usr/lib64 ^.*$ oval:ssg-exclude_symlinks__library_dirs:ste:1 oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1 /etc/ssh/sshd_config oval:ssg-exclude_symlinks__sshd_config:ste:1 oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1 /etc/ssh ^.*\.pub$ oval:ssg-exclude_symlinks__sshd_pub_key:ste:1 oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1 /run/log/journal ^.*$ oval:ssg-exclude_symlinks__system_journal:ste:1 oval:ssg-state_file_permissions_system_journal_0_mode_0640or_stricter_:ste:1 /var/log/journal ^.*$ oval:ssg-exclude_symlinks__system_journal:ste:1 oval:ssg-state_file_permissions_system_journal_1_mode_0640or_stricter_:ste:1 /boot ^.*System\.map.*$ oval:ssg-exclude_symlinks__systemmap:ste:1 oval:ssg-state_file_permissions_systemmap_0_mode_0600or_stricter_:ste:1 /var/log oval:ssg-exclude_symlinks__var_log:ste:1 oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1 /var/log/apt ^.*$ oval:ssg-exclude_symlinks__var_log_apt:ste:1 oval:ssg-state_file_permissions_var_log_apt_0_mode_0644or_stricter_:ste:1 /var/log/auth.log oval:ssg-exclude_symlinks__var_log_auth:ste:1 oval:ssg-state_file_permissions_var_log_auth_0_mode_0640or_stricter_:ste:1 /var/log .*cloud-init.log([^\/]+)?$ oval:ssg-exclude_symlinks__var_log_cloud-init:ste:1 oval:ssg-state_file_permissions_var_log_cloud-init_0_mode_0644or_stricter_:ste:1 /var/log/gdm .* oval:ssg-exclude_symlinks__var_log_gdm:ste:1 oval:ssg-state_file_permissions_var_log_gdm_0_mode_0660or_stricter_:ste:1 /var/log/gdm3 .* oval:ssg-exclude_symlinks__var_log_gdm3:ste:1 oval:ssg-state_file_permissions_var_log_gdm3_0_mode_0660or_stricter_:ste:1 /var/log .*lastlog(\.[^\/]+)?$ oval:ssg-exclude_symlinks__var_log_lastlog:ste:1 oval:ssg-state_file_permissions_var_log_lastlog_0_mode_0664or_stricter_:ste:1 /var/log .*localmessages([^\/]+)?$ oval:ssg-exclude_symlinks__var_log_localmessages:ste:1 oval:ssg-state_file_permissions_var_log_localmessages_0_mode_0644or_stricter_:ste:1 /var/log/messages oval:ssg-exclude_symlinks__var_log_messages:ste:1 oval:ssg-state_file_permissions_var_log_messages_0_mode_0600or_stricter_:ste:1 /var/log/secure oval:ssg-exclude_symlinks__var_log_secure:ste:1 oval:ssg-state_file_permissions_var_log_secure_0_mode_0640or_stricter_:ste:1 /var/log/sssd .* oval:ssg-exclude_symlinks__var_log_sssd:ste:1 oval:ssg-state_file_permissions_var_log_sssd_0_mode_0660or_stricter_:ste:1 /var/log/syslog oval:ssg-exclude_symlinks__var_log_syslog:ste:1 oval:ssg-state_file_permissions_var_log_syslog_0_mode_0640or_stricter_:ste:1 /var/log .*waagent.log([^\/]+)?$ oval:ssg-exclude_symlinks__var_log_waagent:ste:1 oval:ssg-state_file_permissions_var_log_waagent_0_mode_0644or_stricter_:ste:1 /var/log .*(b|w)tmp((\.|-)[^\/]+)?$ oval:ssg-exclude_symlinks__var_log_wbtmp:ste:1 oval:ssg-state_file_permissions_var_log_wbtmp_0_mode_0664or_stricter_:ste:1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub.d/[^/]+\.cfg ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub.d/*.cfg ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /boot/grub/grub.cfg ^.*/vmlinuz.*(root=.*)$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /etc/default/grub.d/[^/]+\.cfg ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub.d/*.cfg ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 /boot/grub/grub.cfg ^.*/vmlinuz.*(root=.*)$ 1 libpam-pkcs11 /etc/systemd/journald.conf ^\s*\[Journal\].*(?:\n\s*[^[\s].*)*\n^[ \t]*Compress\h*=\h*(.+?)[ \t]*(?:$|#) 1 /etc/systemd/journald.conf.d .*\.conf$ ^\s*\[Journal\].*(?:\n\s*[^[\s].*)*\n^[ \t]*Compress\h*=\h*(.+?)[ \t]*(?:$|#) 1 /etc/systemd/journald.conf ^\s*\[Journal\].*(?:\n\s*[^[\s].*)*\n^[ \t]*ForwardToSyslog\h*=\h*(.+?)[ \t]*(?:$|#) 1 /etc/systemd/journald.conf.d .*\.conf$ ^\s*\[Journal\].*(?:\n\s*[^[\s].*)*\n^[ \t]*ForwardToSyslog\h*=\h*(.+?)[ \t]*(?:$|#) 1 /etc/systemd/journald.conf ^\s*\[Journal\].*(?:\n\s*[^[\s].*)*\n^[ \t]*Storage\h*=\h*(.+?)[ \t]*(?:$|#) 1 /etc/systemd/journald.conf.d .*\.conf$ ^\s*\[Journal\].*(?:\n\s*[^[\s].*)*\n^[ \t]*Storage\h*=\h*(.+?)[ \t]*(?:$|#) 1 ^.*\.conf$ ^\s*install\s+cramfs\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+cramfs$ 1 ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+dccp$ 1 ^.*\.conf$ ^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+freevxfs$ 1 ^.*\.conf$ ^\s*install\s+hfs\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+hfs$ 1 ^.*\.conf$ ^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+hfsplus$ 1 ^.*\.conf$ ^\s*install\s+jffs2\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+jffs2$ 1 ^.*\.conf$ ^\s*install\s+rds\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+rds$ 1 ^.*\.conf$ ^\s*install\s+sctp\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+sctp$ 1 ^.*\.conf$ ^\s*install\s+squashfs\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+squashfs$ 1 ^.*\.conf$ ^\s*install\s+tipc\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+tipc$ 1 ^.*\.conf$ ^\s*install\s+udf\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+udf$ 1 ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 ^.*\.conf$ ^blacklist\s+usb-storage$ 1 /dev/shm /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 /dev/shm /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 /dev/shm /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/dev/shm[\s]+[\S]+[\s]+([\S]+) 1 /home /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 /home /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/home[\s]+[\S]+[\s]+([\S]+) 1 /tmp /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 /tmp /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 /tmp /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/tmp[\s]+[\S]+[\s]+([\S]+) 1 /var/log/audit /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 /var/log/audit /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 /var/log/audit /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log/audit[\s]+[\S]+[\s]+([\S]+) 1 /var/log /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 /var/log /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 /var/log /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/log[\s]+[\S]+[\s]+([\S]+) 1 /var /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 /var /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var[\s]+[\S]+[\s]+([\S]+) 1 /var/tmp /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 /var/tmp /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 /var/tmp /etc/fstab ^[\s]*(?!#)[\S]+[\s]+/var/tmp[\s]+[\S]+[\s]+([\S]+) 1 aide apparmor-utils apparmor audispd-plugins auditd autofs avahi-daemon bind9 oval:ssg-var_timesync_service:var:1 chrony cron cups dconf-service isc-dhcp-server dnsmasq dovecot-core ftp gdm3 gdm3 apache2 inetutils-telnetd oval:ssg-var_network_filtering_service:var:1 iptables-persistent iptables-persistent oval:ssg-var_network_filtering_service:var:1 iptables logrotate snmp nfs-kernel-server oval:ssg-var_network_filtering_service:var:1 nftables nginx nis ntp ntpdate ldap-utils slapd opensc-pkcs11 openssh-server openssh-server libpam-modules libpam-pwquality libpam-runtime prelink rpcbind rsh-server rsh-client rsync rsyslog samba squid sudo systemd-journal-remote talk telnet telnetd-ssl telnetd tftpd-hpa oval:ssg-var_timesync_service:var:1 systemd-timesyncd oval:ssg-var_timesync_service:var:1 systemd-timesyncd oval:ssg-var_network_filtering_service:var:1 ufw oval:ssg-var_network_filtering_service:var:1 ufw vsftpd xinetd xserver-common ypserv /dev/shm /home /tmp /var /var/log /var/log/audit /var/tmp /var/log .* oval:ssg-exclude_files_permissions_local_var_log_0:ste:1 oval:ssg-exclude_files_permissions_local_var_log_1:ste:1 oval:ssg-exclude_files_permissions_local_var_log_2:ste:1 oval:ssg-exclude_files_permissions_local_var_log_3:ste:1 oval:ssg-exclude_files_permissions_local_var_log_4:ste:1 oval:ssg-exclude_files_permissions_local_var_log_5:ste:1 oval:ssg-exclude_files_permissions_local_var_log_6:ste:1 oval:ssg-exclude_symlinks_permissions_local_var_log:ste:1 oval:ssg-state_file_permissionspermissions_local_var_log_0_mode_0640or_stricter_:ste:1 /etc/rsyslog.conf ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ 1 oval:ssg-var_rsyslog_files_groupownership_include_config_regex:var:1 oval:ssg-var_rsyslog_files_groupownership_syslog_config:var:1 oval:ssg-object_var_rsyslog_files_groupownership_include_config_regex:obj:1 oval:ssg-object_var_rsyslog_files_groupownership_syslog_config:obj:1 ^\s*[^#$].*?(?:\b[Ff]ile="([^"\s]+)"|[\s]+-?(\/[^:;\s]+)).*$ 1 oval:ssg-state_rsyslog_files_groupownership_ignore_include_paths:ste:1 /etc/group ^adm:\w+:(\w+):.* 1 /etc/rsyslog.conf ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ 1 oval:ssg-var_rsyslog_files_ownership_include_config_regex:var:1 oval:ssg-var_rsyslog_files_ownership_syslog_config:var:1 oval:ssg-object_var_rsyslog_files_ownership_include_config_regex:obj:1 oval:ssg-object_var_rsyslog_files_ownership_syslog_config:obj:1 ^\s*[^#$].*?(?:\b[Ff]ile="([^"\s]+)"|[\s]+-?(\/[^:;\s]+)).*$ 1 oval:ssg-state_rsyslog_files_ownership_ignore_include_paths:ste:1 /etc/passwd ^syslog:\w+:(\w+):.* 1 /etc/rsyslog.conf ^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$ 1 oval:ssg-var_rsyslog_files_permissions_include_config_regex:var:1 oval:ssg-var_rsyslog_files_permissions_syslog_config:var:1 oval:ssg-object_var_rsyslog_files_permissions_include_config_regex:obj:1 oval:ssg-object_var_rsyslog_files_permissions_syslog_config:obj:1 ^\s*[^#$].*?(?:\b[Ff]ile="([^"\s]+)"|[\s]+-?(\/[^:;\s]+)).*$ 1 oval:ssg-state_rsyslog_files_permissions_ignore_include_paths:ste:1 ^apport\.(service|socket)$ ActiveState ^apport\.(service|socket)$ LoadState apport multi-user.target multi-user.target ^auditd\.(socket|service)$ ActiveState auditd ^autofs\.(service|socket)$ ActiveState ^autofs\.(service|socket)$ LoadState autofs ^avahi-daemon\.(service|socket)$ ActiveState ^avahi-daemon\.(service|socket)$ LoadState avahi-daemon ^bluetooth\.(service|socket)$ ActiveState ^bluetooth\.(service|socket)$ LoadState bluez oval:ssg-var_timesync_service:var:1 ^chrony\.(service|socket)$ ActiveState ^chrony\.(service|socket)$ LoadState chrony multi-user.target multi-user.target ^chrony\.(socket|service)$ ActiveState oval:ssg-var_timesync_service:var:1 chrony multi-user.target multi-user.target ^cron\.(socket|service)$ ActiveState cron ^cups\.(service|socket)$ ActiveState ^cups\.(service|socket)$ LoadState cups ^dhcpd6\.(service|socket)$ ActiveState ^dhcpd6\.(service|socket)$ LoadState dhcp ^dhcpd\.(service|socket)$ ActiveState ^dhcpd\.(service|socket)$ LoadState dhcp ^dnsmasq\.(service|socket)$ ActiveState ^dnsmasq\.(service|socket)$ LoadState dnsmasq ^dovecot\.(service|socket)$ ActiveState ^dovecot\.(service|socket)$ LoadState dovecot ^apache2\.(service|socket)$ ActiveState ^apache2\.(service|socket)$ LoadState apache2 ^kdump-tools\.(service|socket)$ ActiveState ^kdump-tools\.(service|socket)$ LoadState kexec-tools ^nfs-server\.(service|socket)$ ActiveState ^nfs-server\.(service|socket)$ LoadState nfs-utils ^nftables\.(service|socket)$ ActiveState ^nftables\.(service|socket)$ LoadState nftables multi-user.target multi-user.target ^nftables\.(socket|service)$ ActiveState nftables ^nginx\.(service|socket)$ ActiveState ^nginx\.(service|socket)$ LoadState nginx multi-user.target multi-user.target ^postfix\.(socket|service)$ ActiveState postfix ^rpcbind\.(service|socket)$ ActiveState ^rpcbind\.(service|socket)$ LoadState rpcbind ^rsyncd\.(service|socket)$ ActiveState ^rsyncd\.(service|socket)$ LoadState rsync-daemon multi-user.target multi-user.target ^rsyslog\.(socket|service)$ ActiveState rsyslog ^slapd\.(service|socket)$ ActiveState ^slapd\.(service|socket)$ LoadState openldap-servers ^smbd\.(service|socket)$ ActiveState ^smbd\.(service|socket)$ LoadState samba ^snmpd\.(service|socket)$ ActiveState ^snmpd\.(service|socket)$ LoadState net-snmp ^squid\.(service|socket)$ ActiveState ^squid\.(service|socket)$ LoadState squid multi-user.target multi-user.target ^ssh\.(socket|service)$ ActiveState openssh-server multi-user.target multi-user.target ^systemd-journal-upload\.(socket|service)$ ActiveState systemd-journal-remote multi-user.target multi-user.target ^systemd-journald\.(socket|service)$ ActiveState systemd ^tftpd-hpa\.(service|socket)$ ActiveState ^tftpd-hpa\.(service|socket)$ LoadState tftpd-hpa oval:ssg-var_timesync_service:var:1 ^systemd-timesyncd\.(service|socket)$ ActiveState ^systemd-timesyncd\.(service|socket)$ LoadState systemd-timesyncd multi-user.target multi-user.target ^systemd-timesyncd\.(socket|service)$ ActiveState oval:ssg-var_timesync_service:var:1 systemd-timesyncd multi-user.target multi-user.target ^ufw\.(socket|service)$ ActiveState oval:ssg-var_network_filtering_service:var:1 ufw ^vsftpd\.(service|socket)$ ActiveState ^vsftpd\.(service|socket)$ LoadState vsftpd ^xinetd\.(service|socket)$ ActiveState ^xinetd\.(service|socket)$ LoadState xinetd ^ypserv\.(service|socket)$ ActiveState ^ypserv\.(service|socket)$ LoadState ypserv ^systemd-journal-remote.socket$ LoadState /etc/ssh/sshd_config ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_disable_empty_passwords:obj:1 oval:ssg-obj_sshd_disable_empty_passwords_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)DisableForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)DisableForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_disable_forwarding:obj:1 oval:ssg-obj_sshd_disable_forwarding_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_disable_gssapi_auth:obj:1 oval:ssg-obj_sshd_disable_gssapi_auth_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_disable_rhosts:obj:1 oval:ssg-obj_sshd_disable_rhosts_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_disable_root_login:obj:1 oval:ssg-obj_sshd_disable_root_login_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_disable_x11_forwarding:obj:1 oval:ssg-obj_sshd_disable_x11_forwarding_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_do_not_permit_user_env:obj:1 oval:ssg-obj_sshd_do_not_permit_user_env_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_enable_pam:obj:1 oval:ssg-obj_sshd_enable_pam_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_enable_pubkey_auth:obj:1 oval:ssg-obj_sshd_enable_pubkey_auth_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_enable_warning_banner_net:obj:1 oval:ssg-obj_sshd_enable_warning_banner_net_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_set_keepalive:obj:1 oval:ssg-obj_sshd_set_keepalive_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_set_loglevel_info:obj:1 oval:ssg-obj_sshd_set_loglevel_info_config_dir:obj:1 /etc/ssh/sshd_config ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 /etc/ssh/sshd_config.d .*\.conf$ ^[ \t]*(?i)X11UseLocalhost(?-i)[ \t]+(.+?)[ \t]*(?:$|#) 1 oval:ssg-obj_sshd_x11_use_localhost:obj:1 oval:ssg-obj_sshd_x11_use_localhost_config_dir:obj:1 ^/etc/sudoers(|\.d/.*)$ ^[\s]*Defaults\b[^!\n]*\buse_pty.*$ 1 ^/etc/sudoers(|\.d/.*)$ ^[\s]*Defaults\b[^!\n]*\blogfile\s*=\s*(?:"?([^",\s]+)"?).*$ 1 fs.protected_hardlinks oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_hardlinks:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_hardlinks:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_fs_protected_hardlinks:obj:1 oval:ssg-object_static_sysctl_sysctl_fs_protected_hardlinks:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_hardlinks:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_fs_protected_hardlinks:obj:1 oval:ssg-object_static_run_sysctld_sysctl_fs_protected_hardlinks:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 fs.protected_symlinks oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_protected_symlinks:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_protected_symlinks:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_fs_protected_symlinks:obj:1 oval:ssg-object_static_sysctl_sysctl_fs_protected_symlinks:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_symlinks:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_fs_protected_symlinks:obj:1 oval:ssg-object_static_run_sysctld_sysctl_fs_protected_symlinks:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*\S)[\s]*$ 1 fs.suid_dumpable oval:ssg-object_static_etc_lib_sysctls_sysctl_fs_suid_dumpable:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_fs_suid_dumpable:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_fs_suid_dumpable:obj:1 oval:ssg-object_static_sysctl_sysctl_fs_suid_dumpable:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_fs_suid_dumpable:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_fs_suid_dumpable:obj:1 oval:ssg-object_static_run_sysctld_sysctl_fs_suid_dumpable:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*\S)[\s]*$ 1 kernel.dmesg_restrict oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_sysctl_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_dmesg_restrict:obj:1 oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*\S)[\s]*$ 1 kernel.randomize_va_space oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_randomize_va_space:obj:1 oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*\S)[\s]*$ 1 kernel.yama.ptrace_scope oval:ssg-object_static_etc_lib_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_sysctl_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1 oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.all.accept_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.all.accept_source_route oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.all.log_martians oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.all.rp_filter oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.all.secure_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.all.send_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.default.accept_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.default.accept_source_route oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.default.log_martians oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.default.rp_filter oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.default.secure_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.conf.default.send_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.icmp_echo_ignore_broadcasts oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.icmp_ignore_bogus_error_responses oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.ip_forward oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_ip_forward:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv4.tcp_syncookies oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.all.accept_ra oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.all.accept_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.all.accept_source_route oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.all.disable_ipv6 oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.all.forwarding oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.default.accept_ra oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.default.accept_redirects oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*\S)[\s]*$ 1 net.ipv6.conf.default.accept_source_route oval:ssg-object_static_etc_lib_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_usr_local_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_usr_local_lib_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 /etc(/ufw){0,1}/sysctl.conf$ ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/local/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*\S)[\s]*$ 1 /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*use_mappers = pwent[\s]*$ 1 vlock ^/boot/loader/entries/.*.conf ^options (.*)$ 1 ^/etc/kernel/cmdline ^(.*)$ 1 ^/boot/loader/entries/.*.conf ^options (.*)$ 1 ^/etc/kernel/cmdline ^(.*)$ 1 ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ 1 /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1 /usr/lib/systemd/system/auditd.service ^(ExecStartPost=\-\/sbin\/augenrules.*$|Requires=augenrules.service) 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules$ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/auditd.conf ^(log_file\s*=\s*.*)$ 1 /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 /etc/audit/auditd.conf ^[ ]*log_group[ ]+=.*$ 1 kernel rpm-ostree bootc openshift-kubelet /run/ostree-booted /ostree ^/etc/default/grub(\.d/[^/]+\.cfg)?$ ^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 oval:ssg-sshd_required:var:1 oval:ssg-var_accounts_user_umask_umask_as_number:var:1 false false false true true true false false false false false false false false false true true true true false true false false false 0 0 0 true true true true true true true true true true true true true true true true true true true true true true true true true true true true true ^(/dev/.*|composefs)$ nosuid noexec true true ^/var/tmp/dracut.* ^/sysroot/.*$ ^[\s]+"false"[\s]*;[\s]*$ ::1 25 465 587 maxpoll \d+ ^_chrony$ active 1 symbolic link /etc/ssh .*_key$ 0 0 false false false false false false false false false false 0 0 0 0 aes256-ctr,aes256-gcm@openssh.com,aes192-ctr,aes128-ctr,aes128-gcm@openssh.com ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com ^((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+$ ^((aes128-ctr|aes192-ctr|aes256-ctr|chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com),?)+$ 1 ^[^#\n\r]*pam_pwhistory\.so[ \t]+[^#\n\r]*use_authtok.*$ ^[^#\n\r]*pam_pwhistory\.so.*$ ^[^#\n\r]+[ \t]+pam_unix\.so[ \t]+[^#\n\r]+use_authtok.*$ ^[^#\n\r]+[ \t]+pam_unix\.so.*$ 0 /etc/systemd/system/ctrl-alt-del.target /dev/null (^|,\s*)ca(\s*,|$) ^.*ocsp_on.*$ (^|,\s*)(crl_auto|crl_offline)(\s*,|$) -1 ^\s*$ ^[x*]$ ^(!|!!|!\*|\*|!locked)$ 0 1000 ^(nobody|nfsnobody)$ ^(?:/usr)?/sbin/nologin$ 0 ^[^:]+:[^:]+:[0-9]+:\s*$ ^.*\bnologin\b.*$ ^(nobody|nfsnobody|root)$ 0 ^(\!|\*).*$ 1 1 ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ ^(nobody|nfsnobody)$ false false false false false false false false false false 1000 ^(nobody|nfsnobody)$ ^(?:/usr)?/sbin/nologin$ false false false false false false false false 1000 ^(nobody|nfsnobody)$ ^(?:/usr)?/sbin/nologin$ ^(nobody|nfsnobody)$ directory false false false false false false false true true symbolic link 0 ^[:\.] :: \.\. [:\.]$ ^[^/] [^\\]:[^/] /etc/localtime ^(/usr)?/share/zoneinfo(/Etc)?/(GMT|UTC)$ false true ^/dev/.*$ regular true ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ ^/sysroot/.*$ ^/dev/.*$ ^/sysroot/.*$ ^/dev/.*$ altfiles symbolic link 0 ^/var/log/apt/.* ^/var/log/landscape/.* auth.log ^[bw]tmp((\.|-).*)?$ ^cloud-init\.log.* ^/var/log/(gdm|gdm3)/.*$ ^.*\.journal.*$ ^lastlog.*$ ^localmessages.*$ messages ^secure.*$ ^/var/log/sssd/.*$ syslog ^waagent\.log.*$ symbolic link 0 ^/var/log/apt/.* ^/var/log/landscape/.* auth.log ^[bw]tmp((\.|-).*)?$ ^cloud-init\.log.* ^/var/log/(gdm|gdm3)/.*$ ^.*\.journal.*$ ^lastlog.*$ ^localmessages.*$ messages ^secure.*$ ^/var/log/sssd/.*$ syslog ^waagent\.log.*$ 1000 1000 false symbolic link 0 1000 true true symbolic link symbolic link 1000 0 0 bind .+ iso9660 ^false$ 0 1 ^p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512$ enabled active 0 1 ^no$ apparmor.service apparmor.socket active ^1 -1$ symbolic link symbolic link false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false symbolic link false false false false false false false false false false false false symbolic link ^no$ ^no$ false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false false false false false false false false false false false false false false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false false false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false false false symbolic link false false false false false false false false symbolic link false false false false false false false symbolic link ^(?:.*\s)?audit=1(?:\s.*)?$ ^yes$ ^yes$ ^no$ ^no$ ^persistent$ ^persistent$ nodev 1 nodev noexec 1 noexec nosuid 1 nosuid nodev 1 nodev nosuid 1 nosuid nodev 1 nodev noexec 1 noexec nosuid 1 nosuid nodev 1 nodev noexec 1 noexec nosuid 1 nosuid nodev 1 nodev noexec 1 noexec nosuid 1 nosuid nodev 1 nodev nosuid 1 nosuid nodev 1 nodev noexec 1 noexec nosuid 1 nosuid chronyd iptables iptables nftables 0:1.4.0-11 0:1.4.0-11 systemd-timesyncd systemd-timesyncd ufw ufw false false false false false false false false false symbolic link ^history.log.*$ ^eipp.log.xz.*$ ^[bw]tmp$ ^[bw]tmp..*$ ^[bw]tmp-.*$ ^lastlog$ ^lastlog..*$ (?:include\([\n\s]*\b[Ff]ile="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|^\s+\b[Ff]ile="|\/dev\/.*) regular (?:include\([\n\s]*\b[Ff]ile="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|^\s+\b[Ff]ile="|\/dev\/.*) regular (?:include\([\n\s]*\b[Ff]ile="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|^\s+\b[Ff]ile="|\/dev\/.*) regular false false false false false false false false false inactive|failed masked not-found auditd.service auditd.socket active inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found chronyd inactive|failed masked not-found chrony.service chrony.socket active chronyd cron.service cron.socket active inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found nftables.service nftables.socket active inactive|failed masked not-found postfix.service postfix.socket active inactive|failed masked not-found inactive|failed masked not-found rsyslog.service rsyslog.socket active inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found ssh.service ssh.socket active systemd-journal-upload.service systemd-journal-upload.socket active systemd-journald.service systemd-journald.socket active inactive|failed masked not-found systemd-timesyncd inactive|failed masked not-found systemd-timesyncd.service systemd-timesyncd.socket active systemd-timesyncd ufw.service ufw.socket active ufw inactive|failed masked not-found inactive|failed masked not-found inactive|failed masked not-found masked ^no$ ^no$ ^yes$ ^yes$ ^no$ ^no$ ^yes$ ^yes$ ^no$ ^no$ ^no$ ^no$ ^no$ ^no$ ^yes$ ^yes$ ^yes$ ^yes$ ^/etc/issue.net$ ^/etc/issue.net$ ^INFO$ ^INFO$ ^yes$ ^yes$ 1 1 1 1 0 0 1 1 2 2 1 1 0 0 0 0 0 0 1 1 ^(?:.*\s)?audit=1(?:\s.*)?$ ^(?:.*\s)?audit=1(?:\s.*)?$ ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ ^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$ /ostree symbolic link ^(true|"true")$ 1 2 0 aarch64 ppc64 ppc64le s390x x86_64 ^[\s]*-a always,exit (?:-F path=([\S]+))+(?: -F perm=x)? -F auid>=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?i) (?i) (?i) (?i) ^(?:server)[[:space:]] $ ^(?:pool)[[:space:]] $ ^\s*\[Time\].*(?:\n\s*[^[\s].*)*\n^[[:space:]]*(NTP|FallbackNTP)[[:space:]]*=[[:space:]]* .*$ ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so.*$ ^\s*auth.*pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]*audit ^[\s]*audit ^\s*auth\N+pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^\s*auth.*pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail[\s\S]*^\s*auth\s+sufficient\s+pam_faillock\.so\s+authsucc ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^ ]*silent ^[\s]*silent ^ $ ^ $ ^.*:.*:.*: :.*:.*:.*$ 86400 0 -1 ^ :[^:]+:[0-9]+:.*$ ^(?: ):(?:[^:]*:){5}([^:]+)$ ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ ^(?: :)(?:[^:]*:){2}([^:]+):(?:[^:]*:){2}[^:]*$ ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ ^(?: :)(?:[^:]*:)([^:]+):(?:[^:]*:){3}[^:]*$ ^(?: ):(?:[^:]*:){4}([^:]+):[^:]*$ 64 8 64 8 64 8 ^[^:]+:[^:]*:( ):$ ^[^:]*:[^:]*: :(\d+):.*$ /dev/mapper/ / ^\s*auth\N+pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) ^[\s]*deny[\s]*=[\s]*([0-9]+) ^\s*auth\N+pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) ^\s*auth\N+pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*root_unlock_time=([0-9]+) ^[\s]*root_unlock_time[\s]*=[\s]*([0-9]+) ^\s*auth\N+pam_unix\.so ^\s*auth\s+(requisite|required)\s+pam_faillock\.so.*preauth.*[\s\S]*^\s*auth.*pam_unix\.so[\s\S]*^\s*auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail ^\s*account\s+required\s+pam_faillock\.so\s*(#.*)?$ ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) ^\-w[\s]+ [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/log\/faillog [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/log\/lastlog [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/apparmor [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/apparmor.d [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/log\/btmp [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/run\/utmp [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/log\/wtmp [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/sudoers [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/sudoers.d\/ [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/localtime [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* ^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&).)* [\s]+(?:-F\s+auid>=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) (?:-F\s+exit=-EACCES) (?:-F\s+exit=-EPERM) ^\-w[\s]+ \/etc\/group [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/gshadow [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/nsswitch.conf [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/security\/opasswd [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/pam.conf [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/pam.d\/ [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/passwd [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/etc\/shadow [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/log\/journal\/ [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ ^\-w[\s]+ \/var\/log\/sudo.log [\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*$ 0 0 0 0 0 0 0 0 42 0 42 0 0 0 0 0 0 0 42 0 0 0 0 0 0 42 0 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ^(?:.*\s)?audit_backlog_limit= (?:\s.*)?$ /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d /etc/modprobe.d /etc/modules-load.d /run/modprobe.d /run/modules-load.d /usr/lib/modprobe.d /usr/lib/modules-load.d ^/etc/rsyslog.conf$ ^/etc/rsyslog.conf$ ^/etc/rsyslog.conf$ /etc/pam.d/common-password 64 8